Confused about SELinux error
ToddAndMargo
ToddAndMargo at zoho.com
Mon Aug 14 20:57:23 UTC 2017
>> ----- Original Message -----
>> From: "ToddAndMargo" <ToddAndMargo at zoho.com>
>> To: bind-users at lists.isc.org
>> Sent: Friday, August 11, 2017 10:39:11 PM
>> Subject: Confused about SELinux error
>>
>> Hi All,
>>
>> What does this SELinux error mean when I start bin-chroot?
>>
>> # semanage fcontext -a -t FILE_TYPE 'session.key'
>>
>> where FILE_TYPE is one of the following: dnssec_trigger_var_run_t,
>> ipa_var_lib_t, krb5_host_rcache_t, krb5_keytab_t, named_cache_t,
>> named_log_t, named_tmp_t, named_var_run_t.
>>
>> # semanage fcontext -a -t named_var_run_t 'session.key'
>> # restorecon -v 'session.key'
>>
>>
>> How am I suppose to know what "FILE_TYPE" they are talking about?
>>
>> -T
On 08/14/2017 06:26 AM, Petr Mensik wrote:
> Hi Todd,
>
> that means you are trying to save session.key into directory where SELinux is forbidding write access to named.
> Session.key is file created once per start and removed before shutdown. I think you have something wrong with link /var/run/named -> /run/named link.
> Default built-in value is /var/run/named/session.key. Default Fedora configuration uses /run/named/session.key. Both paths should work without difference.
>
> Correct selinux type for files in /run/named is named_var_run_t. I think you should run instead:
> $ restorecon -rv /run/named /var/run/named
>
> Then restart named service. Context of a new file should be already correct.
>
> Do you have this option in you configuration file? What is its value?
> # options { ...
> session-keyfile "/run/named/session.key";
>
> It would be helpful if you include you configuration in readable form, please.
Chuckle. I promise not to use zoho's web mail. And
I tough gMail's web mail stunk!
> Listed types are more likely types named is allowed to touch. I admit SELinux errors are often confusing. What you written here are hints to you how to solve the error, not the error itself.
> More helpful errors would be printed by:
> $ ausearch -i -ts today -m avc -m user_avc -m selinux_err
>
> Regards,
> Petr
> --
> Petr Menšík
> Software Engineer
> Red Hat, http://www.redhat.com/
> email: pemensik at redhat.com PGP: 65C6C973
>
Hi Petr,
Thank you for responding! I have attached by my
named.conf and my dhcpd.conf
I have an rndc.key in /var/named/chroot/etc/:
key "rndckey" {
algorithm hmac-md5;
secret "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
};
But I don't see named.conf calling it out. It may
be a hold over from the previous CentOS 5 installation.
I do see "key DHCP_UPDATER" called out. Perhaps
that is what rndckey is about?
-T
~~~~~~~~~~~~~ named.conf ~~~~~~~~~~~~~~~
options {
# the following forwarders is for Open DNS
forwarders { 208.67.222.222; 208.67.220.220; };
directory "/var/named";
};
zone "." {
type hint;
file "named.ca";
};
key DHCP_UPDATER {
algorithm hmac-md5;
secret xxxxxxxxxxxxxxxxxxxxxxxx;
};
zone "xxxx.local" {
type master;
file "slaves/xxxxx.hosts";
allow-update { key DHCP_UPDATER; };
# allow-update { 127.0.0.1; };
};
zone "yyy.168.192.in-addr.arpa" {
type master;
file "slaves/xxxxx.hosts.rev";
allow-update { key DHCP_UPDATER; };
# allow-update { 127.0.0.1; };
};
zone "0.0.127.in-addr.arpa" {
type master;
file "named.local";
};
logging {
channel update_debug {
file "slaves/named-update-debug.log";
severity debug 3;
print-category yes;
print-severity yes;
print-time yes;
};
channel security_info {
file "slaves/named-auth.info";
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category update { update_debug; };
category security { security_info; };
};
~~~~~~~~~~~~~ dhcpd.conf ~~~~~~~~~~~~~~~
DHCPDARGS=eno1;
ddns-updates on;
ddns-update-style interim;
ignore client-updates;
update-static-leases on;
option ntp-servers 192.168.xxx.yyy;
option domain-name "xxxxxx.local";
option domain-name-servers 192.168.xxx.yyy;
option netbios-node-type 8;
key DHCP_UPDATER {
algorithm hmac-md5;
secret xxxxxxxxxxxxxxxxxxxxxxx;
};
zone xxxxx.local. {
primary 127.0.0.1;
key DHCP_UPDATER;
}
zone xxx.168.192.in-addr.arpa. {
primary 127.0.0.1;
key DHCP_UPDATER;
}
subnet 192.168.xxx.0 netmask 255.255.255.0 {
range 192.168.xxx.100 192.168.xxx.200;
default-lease-time 10368000;
max-lease-time 10368000;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.xxx.255;
option routers 192.168.xxx.yyy;
option domain-name-servers 192.168.xxx.yyy;
option domain-name "xxxxxx.local";
option time-offset 39600;
option ip-forwarding off;
option netbios-node-type 1;
# numerous fix IP removed for brevity
}
subnet aaa.bbb.ccc.ddd netmask 255.255.255.252 {}
More information about the bind-users
mailing list