[CentOS] Selinux blocking bind access to named/data and slave directories
I was getting permission errors (seen in /var/log/messages) in accessing these two directories within my chroot tree. I was pulling out what little hair I have, as the permissions were identical to those on my Centos 5.5 server. So I switched selinux into permissive mode and now I have /var/named/chroot/var/named/data/named.run and my /named/slave/ stubs. What is the selinux magic to allow bind to write here? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Selinux blocking bind access to named/data and slave directories
Robert, Send output of this two commands: ps -eZ | grep named ls -alZ into directorys that you want to allow bind to write Att, Frederico Madeira fmade...@gmail.com www.madeira.eng.br 2013/2/14 Robert Moskowitz r...@htt-consult.com I was getting permission errors (seen in /var/log/messages) in accessing these two directories within my chroot tree. I was pulling out what little hair I have, as the permissions were identical to those on my Centos 5.5 server. So I switched selinux into permissive mode and now I have /var/named/chroot/var/named/data/named.run and my /named/slave/ stubs. What is the selinux magic to allow bind to write here? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Selinux blocking bind access to named/data and slave directories
On 14/02/13 7:23 PM, Robert Moskowitz wrote: I was getting permission errors (seen in /var/log/messages) in accessing these two directories within my chroot tree. I was pulling out what little hair I have, as the permissions were identical to those on my Centos 5.5 server. So I switched selinux into permissive mode and now I have /var/named/chroot/var/named/data/named.run and my /named/slave/ stubs. What is the selinux magic to allow bind to write here? Hi, This may start a debate but it is my understanding that RH recommends to not use chroot jails with bind as selinux is more secure. For some additional information see the following extract from the BIND 9 FAQ: https://scs.senecac.on.ca/~raymond.chan/nad810/0701/SELinux-DNS.html Right now I can't locate this on the new ISC website though. There is also an selinux section in the named(8) manual page, for example: http://linux.die.net/man/8/named which states pretty much the same. If you wish to stay with chroot then the key is probably to install the bind-chroot package and ensure that the ROOTDIR variable is set correctly in: /etc/sysconfig/named For what its worth I'm running a number of master/slave DNS servers under selinux no problems. Any updates on the master propagates happily to the slaves. Mind you these are low traffic DNS servers that sit behind a firewall. Cheers -pete -- Peter Brady Email: pdbr...@ans.com.au Skype: pbrady77 signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Selinux blocking bind access to named/data and slave directories
On 02/14/2013 11:09 PM, Peter Brady wrote: On 14/02/13 7:23 PM, Robert Moskowitz wrote: I was getting permission errors (seen in /var/log/messages) in accessing these two directories within my chroot tree. I was pulling out what little hair I have, as the permissions were identical to those on my Centos 5.5 server. So I switched selinux into permissive mode and now I have /var/named/chroot/var/named/data/named.run and my /named/slave/ stubs. What is the selinux magic to allow bind to write here? Hi, This may start a debate but it is my understanding that RH recommends to not use chroot jails with bind as selinux is more secure. Oh NO!!! A security debate!!! Well this system is only for bind and as an internal ntp server, so maybe I can keep selinux on. But then I am a communications security specialist not an OS security specialist, so I can't contribute as to which is more limiting on bind's access to things it should not see. For some additional information see the following extract from the BIND 9 FAQ: https://scs.senecac.on.ca/~raymond.chan/nad810/0701/SELinux-DNS.html More reading. Right now I can't locate this on the new ISC website though. A number of them are my IETF buddies, so I can (and will) ask them directly. There is also an selinux section in the named(8) manual page, for example: http://linux.die.net/man/8/named which states pretty much the same. If you wish to stay with chroot then the key is probably to install the bind-chroot package and ensure that the ROOTDIR variable is set correctly in: /etc/sysconfig/named Done but that did not help with selinux and the named/data directory. For what its worth I'm running a number of master/slave DNS servers under selinux no problems. Any updates on the master propagates happily to the slaves. Mind you these are low traffic DNS servers that sit behind a firewall. This will sit behind a firewall, but has an external view. Another thing is I have to learn about supporting the 4096 possible UDP source ports on my firewall. That is yet another thing to fix. And STILL not yet to DNSSEC config. I will probably rebuild the test box over the weekend and try without chroot. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
