Unable to start Bind on a fresh RHEL 8.6 system with enforcing SELinux

Reindl Harald h.reindl at thelounge.net
Fri Jun 10 11:04:22 UTC 2022 


Am 10.06.22 um 12:59 schrieb Søren Andersen:
> I think the source of the systemd unit file is from: 
> https://gitlab.isc.org/isc-packages/rpms/bind/-/blob/main/named.service.in 
> <https://gitlab.isc.org/isc-packages/rpms/bind/-/blob/main/named.service.in> 
> 
> (And I'm using ISC's repo)
> 
> Perhaps Michał Kępień have any idea? 🙂

please don't convert plain-text mails in a reply to HTML, it looks like 
after a war when coinverted back to plaintext

as said the line should be removed

[root at srv-rhsoft:~]$ cat /etc/systemd/system/named.service
[Unit]
Description=DNS Server
After=network-up.service
Requires=network-online.target network-up.service

[Service]
Type=simple
ExecStartPre=/usr/libexec/setup-named-chroot.sh /var/named/chroot on 
/etc/named-chroot.files
ExecStartPre=/usr/sbin/named-checkconf -t /var/named/chroot -z 
/etc/named.conf
ExecStart=/usr/sbin/named -4 -f -u named -t /var/named/chroot
ExecReload=/usr/bin/kill -HUP $MAINPID
ExecStop=/usr/bin/kill -TERM $MAINPID
ExecStopPost=/usr/libexec/setup-named-chroot.sh /var/named/chroot off 
/etc/named-chroot.files
PermissionsStartOnly=true
TimeoutSec=25
Restart=always
RestartSec=1

PrivateTmp=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_INET AF_INET6 AF_LOCAL AF_UNIX AF_NETLINK
RestrictRealtime=yes
SystemCallArchitectures=native
CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_NET_BIND_SERVICE CAP_SETGID 
CAP_SETUID CAP_SYS_CHROOT

SystemCallFilter=@system-service @network-io @mount
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module 
@obsolete @raw-io @reboot @resources @swap

LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
ProtectHome=yes
ProtectHostname=yes
RestrictNamespaces=yes
RestrictSUIDSGID=yes

> ------------------------------------------------------------------------
> *From:* bind-users <bind-users-bounces at lists.isc.org> on behalf of 
> Reindl Harald <h.reindl at thelounge.net>
> *Sent:* Friday, 10 June 2022 12.53
> *To:* bind-users at lists.isc.org <bind-users at lists.isc.org>
> *Subject:* Re: Unable to start Bind on a fresh RHEL 8.6 system with 
> enforcing SELinux
> [EKSTERN MAIL]
> 
> 
> Am 10.06.22 um 10:52 schrieb Søren Andersen:
>> I've installed a fresh BIND on a RHEL 8.6 system with enforcing SElinux,
>> and when I try to start BIND with the provided systemd unit file it just
>> waits and timeout, and also logs these errors in /var/log/message
>>
>> Jun 10 10:09:25 systemd[1]: isc-bind-named.service: Can't convert PID
>> files /var/opt/isc/scls/isc-bind/run/named/named.pid O_PATH file
>> descriptor to proper file descriptor: Permission denied
>> Jun 10 10:09:25 systemd[1]: isc-bind-named.service: Can't convert PID
>> files /var/opt/isc/scls/isc-bind/run/named/named.pid O_PATH file
>> descriptor to proper file descriptor: Permission denied
>>
>> If I remove PIDFile in the systemd unit it just works fine..
>>
>>
>> [Service]
>> Type=forking
>> EnvironmentFile=-/etc/opt/isc/scls/isc-bind/sysconfig/named
>> #PIDFile=/var/opt/isc/scls/isc-bind/run/named/named.pid
>> ExecStart=/opt/isc/isc-bind/root/usr/sbin/named -u named $OPTIONS
>> ExecReload=/bin/kill -HUP $MAINPID
>> ExecStop=/bin/kill -TERM $MAINPID
>> PrivateTmp=true
>>
>> Anyone else experiences this?
> 
> PIDFile shouldn't be needed at all - esepcially for threaded services
> it's useless, systemd knows the PID anyways
> 
> if that option is used in the provided systemd-unit one should ask the
> guy who have written it: why?
> 
> if it would be useful my "ExecReload=/usr/bin/kill -HUP $MAINPID" won't
> work for nearly 10 years without "PIDFile" (no i won't use and configure
> rndc - keep it simple)

More information about the bind-users mailing list