bind chrooted, logging and SELinux = suffering
Mariano Cunietti
mcunietti at enter.it
Wed Jun 1 14:06:08 UTC 2005
Hi,
I'm running Bind 9.2.4 chrooted (bind-chroot.rpm, directory
/var/named/chroot/) on a RedHat 4EL server, with SELinux enforced.
After a lot of trouble (solved!) with slave zone transfers (take a look
to message "Solution to slave zone transfer problem", by Jason Vas Dias
<jvdias at redhat.com>), I get always the same error while trying to log to
other file than /dev/log:
logging {
channel seclog {
file "/var/log/dns-sec.log" versions 5 size 1m;
print-time yes; print-category yes;
};
category xfer-out { seclog; };
category security { seclog; };
category lame-servers { null; };
};
# ls -l /var/named/chroot/
drwxrwxr-- 2 root named 4096 May 31 14:50 dev
drwxrwx--- 2 root named 4096 Jun 1 15:57 etc
drwxrwx--- 6 root named 4096 May 31 15:18 var
# ls -l /var/named/chroot/var
drwxrwx--- 2 named named 4096 May 31 15:18 log
drwxrwx--- 4 root named 4096 Jun 1 15:19 named
drwxrwx--- 3 root named 4096 May 30 16:03 run
drwxrwx--- 2 named named 4096 May 31 17:31 tmp
# ls -l /var/named/chroot/var/log
-rw-rw---- 1 named named 0 May 31 15:18 dns-sec.log
# tail -f /var/log/messages
Jun 1 15:40:03 dexter named[29371]: loading configuration from
/etc/named.conf'
Jun 1 15:40:03 dexter named[29371]: logging channel 'seclog' file
'/var/log/dns-sec.log': permission denied
Jun 1 15:40:03 dexter kernel: audit(1117633203.103:0): avc: denied {
append } for pid=29372 exe=/usr/sbin/named name=dns-sec.log dev=md2
ino=3801110 scontext=root:system_r:named_t
tcontext=root:object_r:named_conf_t tclass=file
Jun 1 15:40:03 dexter named: named reload succeeded
I think SELinux is causing a lot of problems. How can I disable all of
these constraints without shutting it off? How is it possible that
RedHat is not concerned abot an official RPM *NOT* working because of
conflicts with other default configurations??
Did anybody else got these pains in the a*s?
I'm really disgrunted. How can we encourage security when the only way
out is no-security??
Thanks
--
-------------------------
Mariano Cunietti
System Administrator
Enter S.r.l.
Via Stefanardo da Vimercate, 28
20128 - Milano - Italy
Tel. +39 02 25514319
Fax +39 02 25514303
mcunietti at enter.it
www.enter.it - www.enterpoint.it
---------------------------
Gruppo Y2K - www.gruppoy2k.it
More information about the bind-users
mailing list