Permissions Issue starting Bind 9.3.1
Jason Vas Dias
jvdias at redhat.com
Wed Dec 14 16:10:55 UTC 2005
On Tuesday 13 December 2005 22:05, Mark Andrews <Mark_Andrews at isc.org> wrote:
>
> > I am using Bind 9.3.1 on RedHat Enterprise 4 which I installed using the
> > RPMs available by RedHat. While it appears to load the zones properly, it
> > is unable to start completely due to permissions issues with the named.ca
> > and configuration file. Below are the log entries:
> >
> > Dec 13 18:11:57 ds01 named[1126]: starting BIND 9.3.1 -u named
> > Dec 13 18:11:57 ds01 named[1126]: found 1 CPU, using 1 worker thread
> > Dec 13 18:11:57 ds01 named[1126]: loading configuration from
> > '/etc/named.conf'
> > Dec 13 18:11:57 ds01 named[1126]: listening on IPv4 interface lo,
> > 127.0.0.1#53
> > Dec 13 18:11:57 ds01 named[1126]: listening on IPv4 interface eth0,
> > 67.x.x.x#53
> > Dec 13 18:11:57 ds01 named[1126]: listening on IPv4 interface eth1,
> > 10.x.x.x#53
> > Dec 13 18:11:57 ds01 kernel: audit(1134519117.077:0): avc: denied { read }
> > for pid=1127 exe=/usr/sbin/named name=named.ca dev=sda5 ino=8717074
> > scontext=root:system_r:named_t tcontext=root:object_r:var_t tclass=file
> > Dec 13 18:11:57 ds01 named[1126]: could not configure root hints from
> > 'named.ca': permission denied
> > Dec 13 18:11:57 ds01 named[1126]: loading configuration: permission denied
> > Dec 13 18:11:57 ds01 named[1126]: exiting (due to fatal error)
> > Dec 13 18:11:57 ds01 named: named startup failed
> >
> >
> > As far as I can see, the permissions are set properly. Here are the
> > permissions for the two files mentioned in the log entries above:
> >
> > -rw-r--r-- 1 named named 2518 Jul 26 02:40 named.ca
> > -rw-r----- 1 root named 7761 Dec 13 18:11 named.conf
> >
> >
> > Any ideas as to what is causing this?
> >
> > Thank You,
> > Jason Williard
>
> Stupid idiotic defaults for named in SELinux.
>
> Mark
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
>
>
>
Yes, as mentioned by Mark, this issue is caused by Red Hat's
terrific SELinux named security features, which remove the
need to run BIND in a chroot environment.
You need to ensure that your configuration files are located
where the SELinux policy expects to find them .
If you have bind-chroot installed, $ROOTDIR will be set in
/etc/sysconfig/named.
The SELinux policy expects to find the named configuration files here:
Location: Context (shown by ls -Z):
$ROOTDIR/etc/{named.conf,rndc.*} system_u:object_r:named_conf_t
$ROOTDIR/var/named{,/*} system_u:object_r:named_zone_t
$ROOTDIR/var/named/data{,/*} system_u:object_r:named_cache_t
$ROOTDIR/var/named/slaves{,/*} system_u:object_r:named_cache_t
If your files do not have the contexts as shown above, do:
# restorecon -R /etc /var/named
Check your named.conf 'options { directory ... };" setting to ensure
your zone files are in the locations expected by SELinux.
If you really want to put configuration files in a different location,
use
# chcon system_u:object_r:named_zone_t $my_zone_files
or
# chcon system_u:object_r:named_conf_t $my_conf_files
Named is allowed to write to named_cache_t files, but not to
named_zone_t or named_conf_t files by the SELinux policy. If
you have dynamically updateable or slave zone files, put them
in $ROOTDIR/var/named/slaves .
You can tell SELinux to allow zone file writes by setting the
tunable boolean 'named_write_master_zones' in
/etc/selinux/targeted/booleans .
If you've any further issues with using BIND on RHEL-4, please
raise a bugzilla:
https://bugzilla.redhat.com/bugzilla/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux&version=4&component=bind
and I'll do my best to resolve them.
Thanks & Regards
Jason Vas Dias
Red Hat BIND package maintainer
Red Hat Inc.
More information about the bind-users
mailing list