Confused about SELinux error

ToddAndMargo ToddAndMargo at zoho.com
Mon Aug 14 20:57:23 UTC 2017 

>> ----- Original Message -----
>> From: "ToddAndMargo" <ToddAndMargo at zoho.com>
>> To: bind-users at lists.isc.org
>> Sent: Friday, August 11, 2017 10:39:11 PM
>> Subject: Confused about SELinux error
>> 
>> Hi All,
>> 
>> What does this SELinux error mean when I start bin-chroot?
>> 
>>        # semanage fcontext -a -t FILE_TYPE 'session.key'
>> 
>>        where FILE_TYPE is one of the following: dnssec_trigger_var_run_t,
>>        ipa_var_lib_t, krb5_host_rcache_t, krb5_keytab_t, named_cache_t,
>>        named_log_t, named_tmp_t, named_var_run_t.
>> 
>>       # semanage fcontext -a -t named_var_run_t 'session.key'
>>       # restorecon -v 'session.key'
>> 
>> 
>> How am I suppose to know what "FILE_TYPE" they are talking about?
>> 
>> -T

On 08/14/2017 06:26 AM, Petr Mensik wrote:
> Hi Todd,
> 
> that means you are trying to save session.key into directory where SELinux is forbidding write access to named.
> Session.key is file created once per start and removed before shutdown. I think you have something wrong with link /var/run/named -> /run/named link.
> Default built-in value is /var/run/named/session.key. Default Fedora configuration uses /run/named/session.key. Both paths should work without difference.
> 
> Correct selinux type for files in /run/named is named_var_run_t. I think you should run instead:
> $ restorecon -rv /run/named /var/run/named
> 
> Then restart named service. Context of a new file should be already correct.
> 
> Do you have this option in you configuration file? What is its value?
> # options { ...
> session-keyfile "/run/named/session.key";
> 
> It would be helpful if you include you configuration in readable form, please.

Chuckle.  I promise not to use zoho's web mail.  And
I tough gMail's web mail stunk!


> Listed types are more likely types named is allowed to touch. I admit SELinux errors are often confusing. What you written here are hints to you how to solve the error, not the error itself.
> More helpful errors would be printed by:
> $ ausearch -i -ts today -m avc -m user_avc -m selinux_err
> 
> Regards,
> Petr
> --
> Petr Menšík
> Software Engineer
> Red Hat, http://www.redhat.com/
> email: pemensik at redhat.com  PGP: 65C6C973
> 


Hi Petr,

Thank you for responding!  I have attached by my
named.conf and my dhcpd.conf

I have an rndc.key in /var/named/chroot/etc/:

key "rndckey" {
	algorithm	hmac-md5;
	secret		"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
};


But I don't see named.conf calling it out.  It may
be a hold over from the previous CentOS 5 installation.

I do see "key DHCP_UPDATER" called out.  Perhaps
that is what rndckey is about?

-T



~~~~~~~~~~~~~ named.conf ~~~~~~~~~~~~~~~
options {
         # the following forwarders is for Open DNS
	forwarders { 208.67.222.222; 208.67.220.220; };
	directory "/var/named";
};

zone "." {
	type hint;
	file "named.ca";
};

key DHCP_UPDATER {
     algorithm hmac-md5;
     secret xxxxxxxxxxxxxxxxxxxxxxxx;
};

zone "xxxx.local" {
	type master;
	file "slaves/xxxxx.hosts";
         allow-update { key DHCP_UPDATER; };
#       allow-update { 127.0.0.1; };
};

zone "yyy.168.192.in-addr.arpa" {
	type master;
	file "slaves/xxxxx.hosts.rev";
         allow-update { key DHCP_UPDATER; };
#       allow-update { 127.0.0.1; };
};

zone "0.0.127.in-addr.arpa" {
	type master;
	file "named.local";
};

logging {
      channel update_debug {
           file "slaves/named-update-debug.log";
           severity  debug 3;
           print-category yes;
           print-severity yes;
           print-time     yes;
       };
           channel security_info    {
           file "slaves/named-auth.info";
           severity  info;
           print-category yes;
           print-severity yes;
           print-time     yes;
       };

       category update { update_debug; };
       category security { security_info; };
};


~~~~~~~~~~~~~ dhcpd.conf ~~~~~~~~~~~~~~~
DHCPDARGS=eno1;
ddns-updates on;
ddns-update-style interim;
ignore client-updates;
update-static-leases on;

option ntp-servers 192.168.xxx.yyy;
option domain-name "xxxxxx.local";
option domain-name-servers 192.168.xxx.yyy;
option netbios-node-type 8;


key DHCP_UPDATER {
     algorithm hmac-md5;
     secret xxxxxxxxxxxxxxxxxxxxxxx;
};

zone xxxxx.local. {
         primary 127.0.0.1;
         key DHCP_UPDATER;
}

zone xxx.168.192.in-addr.arpa. {
         primary 127.0.0.1;
         key DHCP_UPDATER;
}


subnet 192.168.xxx.0 netmask 255.255.255.0 {
         range 192.168.xxx.100 192.168.xxx.200;
         default-lease-time 10368000;
         max-lease-time 10368000;
         option subnet-mask 255.255.255.0;
         option broadcast-address 192.168.xxx.255;
         option routers 192.168.xxx.yyy;
         option domain-name-servers 192.168.xxx.yyy;
         option domain-name "xxxxxx.local";
         option time-offset 39600;
         option ip-forwarding off;
         option netbios-node-type 1;

         # numerous fix IP removed for brevity

}


subnet  aaa.bbb.ccc.ddd netmask 255.255.255.252 {}

More information about the bind-users mailing list