Bug 184035
Summary: | named zone transfer fails due to directory ownership | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Chris Tyler <ctyler.fedora> |
Component: | bind | Assignee: | Jason Vas Dias <jvdias> |
Status: | CLOSED NOTABUG | QA Contact: | Ben Levenson <benl> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | sundaram |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-03-05 19:37:26 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Chris Tyler
2006-03-05 06:37:20 UTC
By default, our security policy does not allow named to write any files in the $ROOTDIR/var/named zone database directory. We provide a $ROOTDIR/var/named/slaves/ directory, that can contain zones that named is allowed to modify, that can be created with named.conf statements such as: ' zone "my.slave.net." { type slave; file "slaves/my.slave.zone"; ...}; ' So, if you put named modifiable zone files in slaves/, you should have no zone transfer problems with the default named installation. NOTE: each time the bind package gets updated, the directory permissions will be restored to defaults. Also, the SELinux policy prevents named writing zone files in $ROOTDIR/var/named. This issue is documented in the named(8) man-page, in the NOTES section, and in the ISC BIND FAQ: http://isc.org/sw/bind/FAQ.php . The bind security policy is as mandated by our security response team, and cannot be changed to allow writes of zone files in the $ROOTDIR/var/named directory - sorry. So I'm closing this as 'NOTABUG'. But, for the next version of BIND, I will investigate making named emit a warning log message on startup if slave or DDNS updateable zone files are stored in $ROOTDIR/var/named . Thanks... My handwritten configs always used slaves/, but configuration generated by system-config-bind does not use that subdirectory. So I suppose the bug should be filed against system-config-bind... will do. |