Unable to start Bind on a fresh RHEL 8.6 system with enforcing SELinux

Søren Andersen soande at norlys.dk
Mon Jun 13 17:12:26 UTC 2022 

Hello,


On a fresh install the selinux context are 'var_t', and if I changed it to 'named_var_run_t' it works!

[root@ run]# ls -lZ
total 0
drwxrwx---. 2 named named system_u:object_r:var_t:s0 42 Jun 13 14:50 named

FYI:
I also tried to install the builtin named in RHEL-8, and their systemd unit file looks like this. They are also using 'pidfile'

[Unit]
Description=Berkeley Internet Name Domain (DNS)
Wants=nss-lookup.target
Wants=named-setup-rndc.service
Before=nss-lookup.target
After=named-setup-rndc.service
After=network.target

[Service]
Type=forking
Environment=NAMEDCONF=/etc/named.conf
EnvironmentFile=-/etc/sysconfig/named
Environment=KRB5_KTNAME=/etc/named.keytab
PIDFile=/run/named/named.pid

ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS
ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'

ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'

PrivateTmp=true

[Install]
WantedBy=multi-user.target


Anyone else who are using ISC repo and have the same issue with the wrong selinux context?

________________________________
From: bind-users <bind-users-bounces at lists.isc.org> on behalf of Sandro <lists at penguinpee.nl>
Sent: Friday, 10 June 2022 17.45
To: bind-users at lists.isc.org <bind-users at lists.isc.org>
Subject: Re: Unable to start Bind on a fresh RHEL 8.6 system with enforcing SELinux

[EKSTERN MAIL]


On 10-06-2022 17:21, Reindl Harald wrote:

My apologies if I offended you.

> seriously - about what magic are you talking?
> do you even know what a pidfile is?
>
> it's a simple textfile where the process writes it's PID
> and PIDFile forces systemd to read that file and use the content as
> "Main PID"

Yes, I am aware of what a pidfile is.

So, above would underline my analysis that systemd was not able to read
the pidfile. Possible causes:

1. Configuration issue: named did not write the pidfile to the file
indicated in the unit file by PIDFile

2. SELinux issue: named was not able to write the pidfile, because
SELinux denied access.


> the whole point of my responses was the upstream should reconsider to
> use the option becasue it's proven to be useless no matter what some
> outdated manpage says

I cannot comment on the man page being up to date. But I already agreed
with your point of view, that PIDFile in case of named has become obsolete.

So, I think we are on the same page here.

-- Sandro
--
Visit https://eur06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.isc.org%2Fmailman%2Flistinfo%2Fbind-users&data=05%7C01%7Csoande%40norlys.dk%7Cdcc3a8e2ce2b4f4368bd08da4af86175%7Ca6230a1c393a4c9e9938a643402658d9%7C0%7C0%7C637904727888204160%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=7QfQjbRM9%2FGJ7h0LRI0%2FdGA92D8d1f%2BG2wa8XQwiEMk%3D&reserved=0 to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://eur06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.isc.org%2Fcontact%2F&data=05%7C01%7Csoande%40norlys.dk%7Cdcc3a8e2ce2b4f4368bd08da4af86175%7Ca6230a1c393a4c9e9938a643402658d9%7C0%7C0%7C637904727888204160%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=S1jUdEBRKqIZn4e5aNszwAzghLDxr4H7XCfFIxBhCyQ%3D&reserved=0 for more information.


bind-users mailing list
bind-users at lists.isc.org
https://eur06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.isc.org%2Fmailman%2Flistinfo%2Fbind-users&data=05%7C01%7Csoande%40norlys.dk%7Cdcc3a8e2ce2b4f4368bd08da4af86175%7Ca6230a1c393a4c9e9938a643402658d9%7C0%7C0%7C637904727888204160%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=7QfQjbRM9%2FGJ7h0LRI0%2FdGA92D8d1f%2BG2wa8XQwiEMk%3D&reserved=0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220613/2ff022b3/attachment.htm>

More information about the bind-users mailing list