SELinux / bind conflict

Paul Wouters paul at xelerance.com
Fri Sep 11 22:15:36 UTC 2009 

On Fri, 11 Sep 2009, Andrews, Harold G CTR USAF HQ AF GCIC/CT wrote:

> I’m having a bit of difficulty setting up bind on FC11 (x64) which I’m using in a standalone
> network environment (i.e. no external network connectivity; essentially a closed dev
> network).  I loaded the package from Red Hat and started it running as a service after
> building my zone files and /etc/named.conf.  I’m not using chroot, just vanilla bind.  I’ve
> read a number of posts about conflicts with bind and SELinux which seems to be the issue
> here.  When I set the named_write_master_zones flag in SELinux, any actions related to
> starting or stopping the named service seem to set the flag back to false.

Adam is the person to ask about SElinux and Bind. I've CC:ed him and included the message for
him. Adam, can you help Harold?

Paul

> > restorecon –R –v /var/named
> 
> > setsebool -P named_write_master_zones=1
> 
>  
> 
> Message log entry:
> 
> Sep 11 17:13:11 netmgr setsebool: The named_write_master_zones policy boolean was changed to 1
> by root
> 
>  
> 
> > service named restart
> 
>  
> 
> Message log entry:
> 
> Sep 11 17:13:19 netmgr setsebool: The named_write_master_zones policy boolean was changed to 0
> by root
> 
> Sep 11 17:13:19 netmgr named[3198]: received control channel command 'stop'
> 
> Sep 11 17:13:19 netmgr named[3198]: shutting down: flushing changes
> 
> Sep 11 17:13:19 netmgr named[3198]: stopping command channel on 127.0.0.1#953
> 
> Sep 11 17:13:19 netmgr named[3198]: stopping command channel on ::1#953
> 
> Sep 11 17:13:19 netmgr named[3198]: no longer listening on 127.0.0.1#53
> 
> Sep 11 17:13:19 netmgr named[3198]: no longer listening on 192.168.2.0#53
> 
> Sep 11 17:13:19 netmgr named[3198]: no longer listening on ::1#53
> 
> Sep 11 17:13:19 netmgr named[3198]: exiting
> 
> Sep 11 17:13:20 netmgr named[3270]: starting BIND 9.6.1-P1-RedHat-9.6.1-4.P1.fc11 -u named
> 
> Sep 11 17:13:20 netmgr named[3270]: built with '--build=x86_64-redhat-linux-gnu'
> '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix='
> '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin'
> '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64'
> '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man'
> '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads'
> '--enable-ipv6' '--with-pic' '--disable-static' '--disable-openssl-version-check'
> '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes'
> '--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego'
> 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu'
> 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2
> -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS=
> -DDIG_SIGCHASE'
> 
> Sep 11 17:13:20 netmgr named[3270]: adjusted limit on open files from 1024 to 1048576
> 
> Sep 11 17:13:20 netmgr named[3270]: found 4 CPUs, using 4 worker threads
> 
> Sep 11 17:13:20 netmgr named[3270]: using up to 4096 sockets
> 
> Sep 11 17:13:20 netmgr named[3270]: loading configuration from '/etc/named.conf'
> 
> Sep 11 17:13:20 netmgr named[3270]: using default UDP/IPv4 port range: [1024, 65535]
> 
> Sep 11 17:13:20 netmgr named[3270]: using default UDP/IPv6 port range: [1024, 65535]
> 
> Sep 11 17:13:20 netmgr named[3270]: listening on IPv4 interface lo, 127.0.0.1#53
> 
> Sep 11 17:13:20 netmgr named[3270]: listening on IPv4 interface eth0, 192.168.2.0#53
> 
> Sep 11 17:13:20 netmgr named[3270]: listening on IPv6 interface lo, ::1#53
> 
> Sep 11 17:13:20 netmgr named[3270]: automatic empty zone: 127.IN-ADDR.ARPA
> 
> Sep 11 17:13:20 netmgr named[3270]: automatic empty zone: 254.169.IN-ADDR.ARPA
> 
> Sep 11 17:13:20 netmgr named[3270]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
> 
> Sep 11 17:13:20 netmgr named[3270]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
> 
> Sep 11 17:13:20 netmgr named[3270]: automatic empty zone:
> 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
> 
> Sep 11 17:13:20 netmgr named[3270]: automatic empty zone: D.F.IP6.ARPA
> 
> Sep 11 17:13:20 netmgr named[3270]: automatic empty zone: 8.E.F.IP6.ARPA
> 
> Sep 11 17:13:20 netmgr named[3270]: automatic empty zone: 9.E.F.IP6.ARPA
> 
> Sep 11 17:13:20 netmgr named[3270]: automatic empty zone: A.E.F.IP6.ARPA
> 
> Sep 11 17:13:20 netmgr named[3270]: automatic empty zone: B.E.F.IP6.ARPA
> 
> Sep 11 17:13:20 netmgr named[3270]: command channel listening on 127.0.0.1#953
> 
> Sep 11 17:13:20 netmgr named[3270]: command channel listening on ::1#953
> 
> Sep 11 17:13:20 netmgr named[3270]: the working directory is not writable
> 
> Sep 11 17:13:20 netmgr named[3270]: zone 0.in-addr.arpa/IN: NS '0.in-addr.arpa' has no address
> records (A or AAAA)
> 
> Sep 11 17:13:20 netmgr named[3270]: zone 0.in-addr.arpa/IN: loaded serial 0
> 
> Sep 11 17:13:20 netmgr named[3270]: zone 1.0.0.127.in-addr.arpa/IN: NS
> '1.0.0.127.in-addr.arpa' has no address records (A or AAAA)
> 
> Sep 11 17:13:20 netmgr named[3270]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
> 
> Sep 11 17:13:20 netmgr named[3270]: zone 2.168.192.in-addr.arpa/IN: NS
> 'netmgr.2.168.192.in-addr.arpa' has no address records (A or AAAA)
> 
> Sep 11 17:13:20 netmgr named[3270]: zone 2.168.192.in-addr.arpa/IN: loaded serial 9091101
> 
> Sep 11 17:13:20 netmgr named[3270]: zone
> 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: NS
> '1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa' has no address
> records (A or AAAA)
> 
> Sep 11 17:13:20 netmgr named[3270]: zone
> 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
> 
> Sep 11 17:13:20 netmgr named[3270]: zone localhost.localdomain/IN: loaded serial 0
> 
> Sep 11 17:13:20 netmgr named[3270]: zone localhost/IN: loaded serial 0
> 
> Sep 11 17:13:20 netmgr named[3270]: zone u-giif.af.mil/IN: loaded serial 9091103
> 
> Sep 11 17:13:20 netmgr named[3270]: running
> 
> Sep 11 17:13:22 netmgr setroubleshoot: SELinux is preventing the named daemon from writing to
> the zone directory For complete SELinux messages. run sealert -l
> d8456462-ce0f-4372-89ac-fafae8a6be35
> 
>  
> 
> Thoughts as to how to convince SELinux that I wasn’t kidding?  Thanks.
> 
>  
> 
> -Andy
> 
> 
>

More information about the bind-users mailing list