logging permission denied
Adam Tkac
atkac at redhat.com
Fri Sep 19 13:29:35 UTC 2008
On Fri, Sep 19, 2008 at 06:08:10AM -0700, aklist wrote:
> On Thu, 18 Sep 2008 10:36:02 -0700 Chris Buxton <cbuxton at menandmice.com> wrote
>
> > Here's the quick fix for a chroot'd path:
> >
> > What you see as /var/named/chroot/, named will see as /. Therefore, if
> > you want the path to be /var/named/chroot/var/log, you would put /var/
> > log into the logging statement.
> >
> > You cannot put a symlink into the chroot jail that leads outside of
> > the jail. You should not create any hardlinks in the jail that share
> > nodes with outside files or directories, because that provides an
> > attacker with an avenue for escape from the jail. What you can do is
> > to put a symlink called 'named' into /var/log that points to /var/
> > named/chroot/var/log. Then if named is logging to /var/log (inside the
> > jail), you can access its logs at the path /var/log/named.
>
> Thanks for that, Chris.
> >
> > And you should turn SELinux off if you don't have experience
> > maintaining it.
>
> I wasn't aware that it was "on"...is this some feature of Fedora that's
> enabled by default?
>
That "feature" was enabled long time ago. You can read BIND FAQ
(http://www.isc.org/index.pl?/sw/bind/FAQ.php), question
"Q: I'm running BIND on Red Hat Enterprise Linux or Fedora Core". It
should explain you how configure BIND & SELinux.
Adam
--
Adam Tkac, Red Hat, Inc.
More information about the bind-users
mailing list