logging permission denied

Adam Tkac atkac at redhat.com
Fri Sep 19 13:29:35 UTC 2008

On Fri, Sep 19, 2008 at 06:08:10AM -0700, aklist wrote:
> On Thu, 18 Sep 2008 10:36:02 -0700 Chris Buxton <cbuxton at menandmice.com> wrote
> > Here's the quick fix for a chroot'd path:
> > 
> > What you see as /var/named/chroot/, named will see as /. Therefore, if
> > you want the path to be /var/named/chroot/var/log, you would put /var/
> > log into the logging statement.
> > 
> > You cannot put a symlink into the chroot jail that leads outside of
> > the jail. You should not create any hardlinks in the jail that share
> > nodes with outside files or directories, because that provides an
> > attacker with an avenue for escape from the jail. What you can do is
> > to put a symlink called 'named' into /var/log that points to /var/
> > named/chroot/var/log. Then if named is logging to /var/log (inside the
> > jail), you can access its logs at the path /var/log/named.
> Thanks for that, Chris.
> > 
> > And you should turn SELinux off if you don't have experience
> > maintaining it.
> I wasn't aware that it was "on"...is this some feature of Fedora that's
> enabled by default? 

That "feature" was enabled long time ago. You can read BIND FAQ
(http://www.isc.org/index.pl?/sw/bind/FAQ.php), question 
"Q: I'm running BIND on Red Hat Enterprise Linux or Fedora Core". It
should explain you how configure BIND & SELinux.


Adam Tkac, Red Hat, Inc.

More information about the bind-users mailing list