bind chrooted, logging and SELinux = suffering

Mariano Cunietti mcunietti at enter.it
Wed Jun 1 14:06:08 UTC 2005 

Hi,
I'm running Bind 9.2.4 chrooted (bind-chroot.rpm, directory
/var/named/chroot/) on a RedHat 4EL server, with SELinux enforced.
After a lot of trouble (solved!) with slave zone transfers (take a look
to message "Solution to slave zone transfer problem", by Jason Vas Dias
<jvdias at redhat.com>), I get always the same error while trying to log to
other file than /dev/log:

logging {
        channel seclog {
        file "/var/log/dns-sec.log" versions 5 size 1m;
        print-time yes; print-category yes;
        };
        category xfer-out { seclog; };
        category security { seclog; };
        category lame-servers { null; };
};

# ls -l /var/named/chroot/
drwxrwxr--  2 root named 4096 May 31 14:50 dev
drwxrwx---  2 root named 4096 Jun  1 15:57 etc
drwxrwx---  6 root named 4096 May 31 15:18 var

# ls -l /var/named/chroot/var
drwxrwx---  2 named named 4096 May 31 15:18 log
drwxrwx---  4 root  named 4096 Jun  1 15:19 named
drwxrwx---  3 root  named 4096 May 30 16:03 run
drwxrwx---  2 named named 4096 May 31 17:31 tmp

# ls -l /var/named/chroot/var/log
-rw-rw----  1 named named 0 May 31 15:18 dns-sec.log

# tail -f /var/log/messages

Jun  1 15:40:03 dexter named[29371]: loading configuration from
/etc/named.conf'
Jun  1 15:40:03 dexter named[29371]: logging channel 'seclog' file
'/var/log/dns-sec.log': permission denied
Jun  1 15:40:03 dexter kernel: audit(1117633203.103:0): avc:  denied  {
append } for  pid=29372 exe=/usr/sbin/named name=dns-sec.log dev=md2
ino=3801110 scontext=root:system_r:named_t 
tcontext=root:object_r:named_conf_t tclass=file
Jun  1 15:40:03 dexter named: named reload succeeded


I think SELinux is causing a lot of problems. How can I disable all of
these constraints without shutting it off? How is it possible that
RedHat is not concerned abot an official RPM *NOT* working because of
conflicts with other default configurations??
Did anybody else got these pains in the a*s?

I'm really disgrunted. How can we encourage security when the only way
out is no-security??

Thanks


-- 
-------------------------
Mariano Cunietti
System Administrator
Enter S.r.l.
Via  Stefanardo da Vimercate, 28
20128 - Milano - Italy
Tel.  +39 02 25514319
Fax   +39 02 25514303
mcunietti at enter.it
www.enter.it - www.enterpoint.it
---------------------------
Gruppo Y2K - www.gruppoy2k.it

More information about the bind-users mailing list