Bug 164086

Summary: chroot named has incorrect permissions, will not allow sync
Product: [Fedora] Fedora Reporter: Jonathan Hutchins <hutchins>
Component: bindAssignee: Jason Vas Dias <jvdias>
Status: CLOSED NOTABUG QA Contact: Ben Levenson <benl>
Severity: high Docs Contact:
Priority: medium    
Version: 4   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-07-24 17:23:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jonathan Hutchins 2005-07-24 15:51:28 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (compatible; Konqueror/3.2; Linux) KHTML/3.2.3 (like Gecko)

Description of problem:
chroot named will not allow transfers: 
 
named[2476]: dumping master file: tmp-Vs1ARVTUWq: open: permission denied 
named[2476]: transfer of '<domain>/IN' from <IP ADDRESS>#53: failed while 
receiving responses: permission denied 
 
named appears to have access to appropriate directories in /var/named/chroot 
through membership in group "named": 
 
ls -l /var/named/chroot 
total 24 
drwxrwxr--    2 root named 4096 Jul 19 08:56 dev 
drwxrwx---    2 root named 4096 Jul 19 08:56 etc 
dr-xr-xr-x  167 root root     0 Jul 23 02:18 proc 
drwxrwx---    5 root named 4096 Mar 13  2003 var 
 

Version-Release number of selected component (if applicable):
bind-chroot-9.3.1-8.FC4

How reproducible:
Always

Steps to Reproduce:
1.
2.
3.
  

Additional info:
Comment 1 Jonathan Hutchins 2005-07-24 17:23:34 UTC 
The problem appears to be that /var/named/chroot/var/named did not have group   
write permissions, and the configuration transferred from the master server   
was storing slave zone files in /var/named/chroot/var/named instead   
of /var/named/chroot/var/named/slaves.   
 
Consider documenting this somewhere?
Comment 2 Jason Vas Dias 2005-07-24 20:42:30 UTC 
This is documented - see 'man named' section NOTES,
"Red Hat SELinux BIND Security Profile", and 
'man named_selinux' .