bind chrooted, logging and SELinux = suffering

Mariano Cunietti mcunietti at enter.it
Wed Jun 1 15:52:33 UTC 2005


Thanks Jason,
you've been very helpful.
I was paying more attention while reading RedHat SELinux implementation
and usage man pages on
http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/

Though SELinux is not very friendly at first glance, I'm starting to
undergo his apparent difficulties. I found it very interesting.

So, my fault: I've been too lazy to read and too fast to write.
I'm happy to hear that many workarounds (as bind-chroot is) won't be
necessary anymore.

Now, let's go on reading ;-)
Bye

Mariano

On Wed, 2005-06-01 at 17:46, Jason Vas Dias wrote:
> On Wed, 2005-06-01 at 10:06, Mariano Cunietti wrote:
> > Hi,
> > I'm running Bind 9.2.4 chrooted (bind-chroot.rpm, directory
> > /var/named/chroot/) on a RedHat 4EL server, with SELinux enforced.
> > After a lot of trouble (solved!) with slave zone transfers (take a look
> > to message "Solution to slave zone transfer problem", by Jason Vas Dias
> > <jvdias at redhat.com>), I get always the same error while trying to log to
> > other file than /dev/log:
> > 
> > logging {
> >         channel seclog {
> >         file "/var/log/dns-sec.log" versions 5 size 1m;
> >         print-time yes; print-category yes;
> >         };
> >         category xfer-out { seclog; };
> >         category security { seclog; };
> >         category lame-servers { null; };
> > };
> > 
> > # ls -l /var/named/chroot/
> > drwxrwxr--  2 root named 4096 May 31 14:50 dev
> > drwxrwx---  2 root named 4096 Jun  1 15:57 etc
> > drwxrwx---  6 root named 4096 May 31 15:18 var
> > 
> > # ls -l /var/named/chroot/var
> > drwxrwx---  2 named named 4096 May 31 15:18 log
> > drwxrwx---  4 root  named 4096 Jun  1 15:19 named
> > drwxrwx---  3 root  named 4096 May 30 16:03 run
> > drwxrwx---  2 named named 4096 May 31 17:31 tmp
> > 
> > # ls -l /var/named/chroot/var/log
> > -rw-rw----  1 named named 0 May 31 15:18 dns-sec.log
> > 
> > # tail -f /var/log/messages
> > 
> > Jun  1 15:40:03 dexter named[29371]: loading configuration from
> > /etc/named.conf'
> > Jun  1 15:40:03 dexter named[29371]: logging channel 'seclog' file
> > '/var/log/dns-sec.log': permission denied
> > Jun  1 15:40:03 dexter kernel: audit(1117633203.103:0): avc:  denied  {
> > append } for  pid=29372 exe=/usr/sbin/named name=dns-sec.log dev=md2
> > ino=3801110 scontext=root:system_r:named_t 
> > tcontext=root:object_r:named_conf_t tclass=file
> > Jun  1 15:40:03 dexter named: named reload succeeded
> > 
> > 
> > I think SELinux is causing a lot of problems. How can I disable all of
> > these constraints without shutting it off? How is it possible that
> > RedHat is not concerned abot an official RPM *NOT* working because of
> > conflicts with other default configurations??
> > Did anybody else got these pains in the a*s?
> > 
> > I'm really disgrunted. How can we encourage security when the only way
> > out is no-security??
> > 
> > Thanks
> > 
> If you have problems with the Red Hat BIND distribution, please report
> them through bugzilla.redhat.com .
> 
> By default, Red Hat ships BIND with maximum security protection enabled,
> to counter known security vulnerabilities as mandated by our security
> response team.
> 
> You are free to disable the SELinux BIND security protection completely:
> 
>  # chcon -R system_u:object_r:sbin_t /usr/sbin/named /usr/sbin/rndc
>  # chown -R named:named /var/named
> 
> A better solution would be to work within the SELinux named policy for
> new files you want bind to create / write - for example, to enable
> writing to a /var/named/chroot/log directory as in your case:
> 
>  # mkdir /var/named/chroot/log
>  # chown named:named /var/named/chroot/log
>  # chcon -R system_u:object_r:named_cache_t /var/named/chroot/log
> 
> Also, bear in mind that the need for the chroot environment is 
> removed by use of SELinux: SELinux policy is far more secure than
> the chroot environment. You can "rpm -e bind-chroot" and then use
> SELinux to enforce security for the /var/named directory.
> 
> I've attached the "NOTES" section from the named man-page in 
> the latest version of the Red Hat BIND distribution which
> explains SELinux BIND administration issues:
> 
> NOTES
>        Red Hat SELinux BIND Security Profile:
> 
>        By default, Red Hat ships BIND with the most secure SELinux policy that
>        will not prevent normal BIND operation and will prevent exploitation of
>        all known BIND security vulnerabilities . See the selinux(8)  man  page
>        for information about SElinux.
> 
>        It is not necessary to run named in a chroot environment if the Red Hat
>        SELinux policy for named is enabled. When enabled, this policy  is  far
>        more  secure than a chroot environment. Users are recommended to enable
>        SELinux and remove the bind-chroot package.
> 
>        With this extra security comes some restrictions:
> 
>        By default, the SELinux policy does not allow named to write any master
>        zone  database files. Only the root user may create files in the $ROOT-
>        DIR/var/named zone database file directory (the options { "directory" }
>        option), where $ROOTDIR is set in /etc/sysconfig/named.
> 
>        The  "named"  group  must  be  granted read privelege to these files in
>        order for named to be enabled to read them.
> 
>        Any file created in the zone database file directory  is  automatically
>        assigned the SELinux file context named_zone_t .
> 
>        By  default,  SELinux  prevents  any  role  from modifying named_zone_t
>        files; this means that files in the zone database directory  cannot  be
>        modified by dynamic DNS (DDNS) updates or zone transfers.
> 
>        The  Red  Hat BIND distribution and SELinux policy creates two directo-
>        ries where  named  is  allowed  to  create  and  modify  files:  $ROOT-
>        DIR/var/named/slaves  and $ROOTDIR/var/named/data. By placing files you
>        want named to modify, such as slave or DDNS updateable zone  files  and
>        database  / statistics dump files in these directories, named will work
>        normally and no further operator action is  required.  Files  in  these
>        directories  are  automatically  assigned the ’named_cache_t’ file con-
>        text, which SELinux allows named to write.
> 
>        You can enable the named_t domain  to  write  and  create  named_zone_t
>        files  by use of the SELinux tunable boolean variable "named_write_mas-
>        ter_zones", using the setsebool(8) command or  the  system-config-secu-
>        rity  GUI  .  If  you  do this, you must also set the ENABLE_ZONE_WRITE
>        variable in /etc/sysconfig/named to 1 / yes to  set  the  ownership  of
>        files  in  the $ROOTDIR/var/named directory to named:named in order for
>        named to be allowed to write them.
-- 
-------------------------
Mariano Cunietti
System Administrator
Enter S.r.l.
Via  Stefanardo da Vimercate, 28
20128 - Milano - Italy
Tel.  +39 02 25514319
Fax   +39 02 25514303
mcunietti at enter.it
www.enter.it - www.enterpoint.it
---------------------------
Gruppo Y2K - www.gruppoy2k.it



More information about the bind-users mailing list