Bug 239149

Summary: bind-chroot breaks dynamic DNS
Product: [Fedora] Fedora Reporter: Jeff Layton <jlayton>
Component: bindAssignee: Adam Tkac <atkac>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 6CC: ovasik, steved
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 9.4.1-4.fc7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-06-08 15:59:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 239802    
Attachments:
Description Flags
proposed patch -- make chowning of master zonefiles contingent upon $ENABLE_ZONE_WRITE
none
proposed patch -- fix selinux_enabled and also fix chown'ing none

Description Jeff Layton 2007-05-05 11:08:05 UTC 
I've noticed that on package updates, when the bind package is updated that it
chowns all of the files in /var/named/chroot/var/named to root:named. This seems
to happen when /usr/sbin/bind-chroot-admin --enable is run.

I run my nameserver with dynamic DNS enabled. When this occurs, updates no
longer work. It seems like the chown'ing of the files in there to root:named
ought to be conditional on a setting of some sort.
Comment 1 Jeff Layton 2007-05-05 11:45:12 UTC 
Created attachment 154199 [details]
proposed patch -- make chowning of master zonefiles contingent upon $ENABLE_ZONE_WRITE

This patch seems to correct it and I think it should be what we want. This
makes the user to which qw chown the zonefiles in /var/named and
${BIND_CHROOT_PREFIX}/var/named vary depending upon whether $ENABLE_ZONE_WRITE
is set.
Comment 2 Jeff Layton 2007-05-05 12:47:42 UTC 
Created attachment 154200 [details]
proposed patch -- fix selinux_enabled and also fix chown'ing

This patch should also fix the problem and more correctly. It adds a new
function to detect whether master zone writes are enabled based on selinux
settings. If selinux isn't enabled then it falls back to using
$ENABLE_ZONE_WRITES.

This also fixes what appears to be a bug in this script. The return codes for
the selinuxenabled command are actually reversed (it returns 0 for true).
Comment 3 Adam Tkac 2007-05-22 15:28:51 UTC 
Could be fixed in bind-9.3.4-5.fc6. Thanks for patch

Regards, Adam
Comment 4 Adam Tkac 2007-06-04 10:22:39 UTC 
After next thinking I'm changing policy in rawhide. Please see
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=241872#c1 for reasons. In
the future only /var/named/slaves directory is for slave zones.

Regards, Adam
Comment 5 Jeff Layton 2007-06-04 10:50:48 UTC 
I'm not sure I understand your last comment. Do you mean that you're backing out
this change and that if I want a writable master zone that I should put it in
/var/named/slaves?
Comment 6 Adam Tkac 2007-06-04 10:53:02 UTC 
Yeah. I think this could be the best solution, isn't it?
Comment 7 Adam Tkac 2007-06-04 10:54:07 UTC 
But only in Fedora-rawhide, Fedora <= 7 will be unafected with this change
Comment 8 Adam Tkac 2007-06-04 10:56:14 UTC 
Hm, wait. We're talking about dynamic DNS, not about slave DNS. Let me check it

-A-
Comment 9 Jeff Layton 2007-06-04 11:14:40 UTC 
What might be best actually is to make a separate directory for master zones
(i.e. /var/named/master). Then you won't need to make /var/named be owned by
named at all. That probably means selinux policy changes, etc, but I think that
might be the best solution.
Comment 10 Fedora Update System 2007-06-08 15:59:11 UTC 
bind-9.4.1-4.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.