SELinux / bind conflict

Fri Sep 11 21:36:11 UTC 2009

Hello,

I'm having a bit of difficulty setting up bind on FC11 (x64) which I'm
using in a standalone network environment (i.e. no external network
connectivity; essentially a closed dev network).  I loaded the package
from Red Hat and started it running as a service after building my zone
files and /etc/named.conf.  I'm not using chroot, just vanilla bind.
I've read a number of posts about conflicts with bind and SELinux which
seems to be the issue here.  When I set the named_write_master_zones
flag in SELinux, any actions related to starting or stopping the named
service seem to set the flag back to false.

> restorecon -R -v /var/named

> setsebool -P named_write_master_zones=1

Message log entry:

Sep 11 17:13:11 netmgr setsebool: The named_write_master_zones policy
boolean was changed to 1 by root

> service named restart

Message log entry:

Sep 11 17:13:19 netmgr setsebool: The named_write_master_zones policy
boolean was changed to 0 by root

Sep 11 17:13:19 netmgr named[3198]: received control channel command
'stop'

Sep 11 17:13:19 netmgr named[3198]: shutting down: flushing changes

Sep 11 17:13:19 netmgr named[3198]: stopping command channel on
127.0.0.1#953

Sep 11 17:13:19 netmgr named[3198]: stopping command channel on ::1#953

Sep 11 17:13:19 netmgr named[3198]: no longer listening on 127.0.0.1#53

Sep 11 17:13:19 netmgr named[3198]: no longer listening on
192.168.2.0#53

Sep 11 17:13:19 netmgr named[3198]: no longer listening on ::1#53

Sep 11 17:13:19 netmgr named[3198]: exiting

Sep 11 17:13:20 netmgr named[3270]: starting BIND
9.6.1-P1-RedHat-9.6.1-4.P1.fc11 -u named

Sep 11 17:13:20 netmgr named[3270]: built with
'--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu'
'--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr'
'--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin'
'--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include'
'--libdir=/usr/lib64' '--libexecdir=/usr/libexec'
'--sharedstatedir=/var/lib' '--mandir=/usr/share/man'
'--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var'
'--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static'
'--disable-openssl-version-check' '--with-dlz-ldap=yes'
'--with-dlz-postgres=yes' '--with-dlz-mysql=yes'
'--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego'
'build_alias=x86_64-redhat-linux-gnu'
'host_alias=x86_64-redhat-linux-gnu'
'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
--param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS=
-DDIG_SIGCHASE'

Sep 11 17:13:20 netmgr named[3270]: adjusted limit on open files from
1024 to 1048576

Sep 11 17:13:20 netmgr named[3270]: found 4 CPUs, using 4 worker threads

Sep 11 17:13:20 netmgr named[3270]: using up to 4096 sockets

Sep 11 17:13:20 netmgr named[3270]: loading configuration from
'/etc/named.conf'

Sep 11 17:13:20 netmgr named[3270]: using default UDP/IPv4 port range:
[1024, 65535]

Sep 11 17:13:20 netmgr named[3270]: using default UDP/IPv6 port range:
[1024, 65535]

Sep 11 17:13:20 netmgr named[3270]: listening on IPv4 interface lo,
127.0.0.1#53

Sep 11 17:13:20 netmgr named[3270]: listening on IPv4 interface eth0,
192.168.2.0#53

Sep 11 17:13:20 netmgr named[3270]: listening on IPv6 interface lo,
::1#53

Sep 11 17:13:20 netmgr named[3270]: automatic empty zone:
127.IN-ADDR.ARPA

Sep 11 17:13:20 netmgr named[3270]: automatic empty zone:
254.169.IN-ADDR.ARPA

Sep 11 17:13:20 netmgr named[3270]: automatic empty zone:
2.0.192.IN-ADDR.ARPA

Sep 11 17:13:20 netmgr named[3270]: automatic empty zone:
255.255.255.255.IN-ADDR.ARPA

Sep 11 17:13:20 netmgr named[3270]: automatic empty zone:
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA

Sep 11 17:13:20 netmgr named[3270]: automatic empty zone: D.F.IP6.ARPA

Sep 11 17:13:20 netmgr named[3270]: automatic empty zone: 8.E.F.IP6.ARPA

Sep 11 17:13:20 netmgr named[3270]: automatic empty zone: 9.E.F.IP6.ARPA

Sep 11 17:13:20 netmgr named[3270]: automatic empty zone: A.E.F.IP6.ARPA

Sep 11 17:13:20 netmgr named[3270]: automatic empty zone: B.E.F.IP6.ARPA

Sep 11 17:13:20 netmgr named[3270]: command channel listening on
127.0.0.1#953

Sep 11 17:13:20 netmgr named[3270]: command channel listening on ::1#953

Sep 11 17:13:20 netmgr named[3270]: the working directory is not
writable

Sep 11 17:13:20 netmgr named[3270]: zone 0.in-addr.arpa/IN: NS
'0.in-addr.arpa' has no address records (A or AAAA)

Sep 11 17:13:20 netmgr named[3270]: zone 0.in-addr.arpa/IN: loaded
serial 0

Sep 11 17:13:20 netmgr named[3270]: zone 1.0.0.127.in-addr.arpa/IN: NS
'1.0.0.127.in-addr.arpa' has no address records (A or AAAA)

Sep 11 17:13:20 netmgr named[3270]: zone 1.0.0.127.in-addr.arpa/IN:
loaded serial 0

Sep 11 17:13:20 netmgr named[3270]: zone 2.168.192.in-addr.arpa/IN: NS
'netmgr.2.168.192.in-addr.arpa' has no address records (A or AAAA)

Sep 11 17:13:20 netmgr named[3270]: zone 2.168.192.in-addr.arpa/IN:
loaded serial 9091101

Sep 11 17:13:20 netmgr named[3270]: zone
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa
/IN: NS
'1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arp
a' has no address records (A or AAAA)

Sep 11 17:13:20 netmgr named[3270]: zone
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa
/IN: loaded serial 0

Sep 11 17:13:20 netmgr named[3270]: zone localhost.localdomain/IN:
loaded serial 0

Sep 11 17:13:20 netmgr named[3270]: zone localhost/IN: loaded serial 0

Sep 11 17:13:20 netmgr named[3270]: zone u-giif.af.mil/IN: loaded serial
9091103

Sep 11 17:13:20 netmgr named[3270]: running

Sep 11 17:13:22 netmgr setroubleshoot: SELinux is preventing the named
daemon from writing to the zone directory For complete SELinux messages.
run sealert -l d8456462-ce0f-4372-89ac-fafae8a6be35

Thoughts as to how to convince SELinux that I wasn't kidding?  Thanks.

-Andy

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20090911/b02ab95d/attachment.html>