Bug 143438
Summary: | wrong permissions for /var/named/chroot/var/named/ | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Gene Czarcinski <gczarcinski> |
Component: | bind | Assignee: | Jason Vas Dias <jvdias> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Ben Levenson <benl> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 3 | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | bind-9.2.4-8_FC3, bind-9.3.0-2 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-01-14 18:09:13 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Gene Czarcinski
2004-12-20 20:38:18 UTC
Actually, the permissions of $ROOTDIR/var/named were set intentionally this way at the request of the Red Hat Security response team, to counter known security vulnerabilities in BIND . If you are running with SELinux enabled, you need to set the SELinux targeted policy boolean 'named_write_master_zones' to 1 to allow the named process to create its DDNS journal files or to replace its master zone files, and you need to do: ( # chown named:named $ROOTDIR/var/named and # chown named:named $ROOTDIR/var/named/{ DDNS updateable zone files } ) or # chown -R named $ROOTDIR/var/named to enable the correct file permissions for DDNS. The next version (bind-9.2.4-4) will have this behaviour implemented in the startup script (/etc/init.d/named): if ( ( SELinux is enabled and the 'named_write_master_zones' boolean is 1 ) or ( SELinux is disabled and the $ALLOW_DNS variable is 1 ) )and $ROOTDIR/var/named does not have ownership named:named: chown named:named $ROOTDIR/var/named/ chown named:named {all zone files where allow-update != None} else if ( ( SELinux is enabled and the 'named_write_master_zones' boolean is 0 ) or ( SELinux is disabled and the $ALLOW_DNS variable is 1 ) )and $ROOTDIR/var/named does not have ownership root:named: chown root:named $ROOTDIR/var/named chown root:named {all zone files where allow-update != None} So in bind-9.2.4-4 you'll be able to set "ALLOW_DDNS=1" in /etc/sysconfig/named (if SELinux is disabled) or "named_write_master_zones"=1 in /etc/selinux/targeted/booleans (if SELinux is enabled) and the permission issues will be taken care of. I had initially disabled selinux for named and that is when I hit the file permissions problem. I have since found out about the selinux named_write_master_zones boolean so that will enable turning selinux back on. Do you have an estimate as to when bind-9.2.4-4 will be available (I notice that bind-9.3.0 is in development)? BTW, I really believe that SELinux should be a bit more granular about the zone files and only allow creating/updating the .jnl files -- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=143440 I'll try to issue an update of bind in FC3 to 9.2.4-4 and in Rawhide to 9.3.0-2 by 2005-01-05. This is now fixed in : FC-3 updates: bind-9.2.4-8_FC3 FC-4 rawhide: bind-9.3.0-2 These releases should be available on the normal channels from tomorrow (2005-1-15) onwards. If the named_write_master_zones SELinux boolean is enabled (1), then the startup script will ensure that the $ROOTDIR/var/named directory has ownership named:named. Else, it will ensure ownership root:named . |