problem using setuid ("-u" option) with BIND 9.10.3 on RedHat when listening on tun/tap interface

Gordon Lang glang at goalex.com
Mon Sep 28 21:36:28 UTC 2015 

Here are the non-comment lines of /etc/selinux/config:
    SELINUX=permissive
    SELINUXTYPE=targeted


The /var/log/audit/audit.log has a lot of lines that look like the same
thing over and over.  I don't have audit2allow, so here it is raw (with
some line breaks):

    type=SYSCALL msg=audit(1443475664.001:786107): arch=c000003e syscall=82
success=yes
    exit=0 a0=7f8e9d5affd8 a1=7f8e9cc81fe8 a2=7f8e98452b30 a3=0 items=5
ppid=1 pid=3873
    auid=7202 uid=2076 gid=30046 euid=2076 suid=2076 fsuid=2076 egid=30046
sgid=30046
    fsgid=30046 tty=(none) ses=13948 comm="named"
exe="/export/local/ISC/bind-9.10.3/sbin/named"
    subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="delete"


I built the code with autoconf as follows:
    ./configure --prefix=/export/local/ISC/bind-9.10.3
    make
    make install
    cd /export/local/ISC/bind-9.10.3/sbin
    chown root named
    chmod g-w named
    chmod u+s named


On Sun, Sep 27, 2015 at 8:54 PM, Carl Byington <carl at byington.org> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Sun, 2015-09-27 at 15:31 -0400, Gordon Lang wrote:
>
> > > It works fine with BIND 9.9.3 but not 9.10.3 on the same server.
>
> Since this is rhel6, I presume you are running with selinux:
>
> cat /etc/selinux/config
>
> grep named /var/log/audit/audit.log | audit2allow
>
> How did you do the build of 9.10.3 on rhel6? Did you build rpms from a
> .spec file, or just a raw autoconf (./configure;make;make install)
> build?
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.14 (GNU/Linux)
>
> iEYEARECAAYFAlYIj6AACgkQL6j7milTFsHcnACfUk+MZP5OaFV3h9PJzXye4dam
> neQAn1+NLhqFH7gPZanWaAAXeb2ZptJk
> =zpxb
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>



-- 

--
Gordon A. Lang
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150928/15c55581/attachment.html>

More information about the bind-users mailing list