Bug 143438
| Summary: | wrong permissions for /var/named/chroot/var/named/ | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Gene Czarcinski <gczarcinski> |
| Component: | bind | Assignee: | Jason Vas Dias <jvdias> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Ben Levenson <benl> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 3 | ||
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | bind-9.2.4-8_FC3, bind-9.3.0-2 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2005-01-14 18:09:13 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Gene Czarcinski
2004-12-20 20:38:18 UTC
Actually, the permissions of $ROOTDIR/var/named were set intentionally
this way at the request of the Red Hat Security response team, to
counter known security vulnerabilities in BIND .
If you are running with SELinux enabled, you need to set the SELinux
targeted policy boolean 'named_write_master_zones' to 1 to allow
the named process to create its DDNS journal files or to replace
its master zone files, and you need to do:
( # chown named:named $ROOTDIR/var/named
and
# chown named:named $ROOTDIR/var/named/{ DDNS updateable zone files }
) or
# chown -R named $ROOTDIR/var/named
to enable the correct file permissions for DDNS.
The next version (bind-9.2.4-4) will have this behaviour
implemented in the startup script (/etc/init.d/named):
if ( ( SELinux is enabled and
the 'named_write_master_zones' boolean is 1
) or
( SELinux is disabled and
the $ALLOW_DNS variable is 1
)
)and
$ROOTDIR/var/named does not have ownership named:named:
chown named:named $ROOTDIR/var/named/
chown named:named {all zone files where allow-update != None}
else
if ( ( SELinux is enabled and
the 'named_write_master_zones' boolean is 0
) or
( SELinux is disabled and
the $ALLOW_DNS variable is 1
)
)and
$ROOTDIR/var/named does not have ownership root:named:
chown root:named $ROOTDIR/var/named
chown root:named {all zone files where allow-update != None}
So in bind-9.2.4-4 you'll be able to set
"ALLOW_DDNS=1" in /etc/sysconfig/named (if SELinux is disabled) or
"named_write_master_zones"=1 in /etc/selinux/targeted/booleans
(if SELinux is enabled)
and the permission issues will be taken care of.
I had initially disabled selinux for named and that is when I hit the file permissions problem. I have since found out about the selinux named_write_master_zones boolean so that will enable turning selinux back on. Do you have an estimate as to when bind-9.2.4-4 will be available (I notice that bind-9.3.0 is in development)? BTW, I really believe that SELinux should be a bit more granular about the zone files and only allow creating/updating the .jnl files -- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=143440 I'll try to issue an update of bind in FC3 to 9.2.4-4 and in Rawhide to 9.3.0-2 by 2005-01-05. This is now fixed in : FC-3 updates: bind-9.2.4-8_FC3 FC-4 rawhide: bind-9.3.0-2 These releases should be available on the normal channels from tomorrow (2005-1-15) onwards. If the named_write_master_zones SELinux boolean is enabled (1), then the startup script will ensure that the $ROOTDIR/var/named directory has ownership named:named. Else, it will ensure ownership root:named . |