Bug 545128

Read the sealert.  It tells you what to do.

Ran the "fix" "setsebool -P named_write_master_zones=1" many times with reboot yields the same error. Relocated the zone file to /var/named/data, /var/named/slave, var/named/dynamic, still resulting in same error. chown the entire directory to named:named still the same issue. Googled many days with the error, tried every suggestion, even the ones I know wouldn't work, still the same issue. Filed a bug report here, with the suggestion to retry "setsebool -P named_write_master_zones=1", followed it anyway. Still the same issue. 

Planning on disabling selinux on named all together, at this point

# getsebool -a | grep named
If it is turned on, could you execute 

ausearch -m avc -ts recent | audit2allow -w

This is very severe bug, as it prevents name server to be used as the secondary name server!

The bug is localized in the /etc/init.d/named starting script, line 61.
This script resets named_write_master_zones to "off" every time it is called. The result is, that setsebool -P named_write_master_zones=1 has no chance to work.

The autor of this stupid change should be penalized!

Bug should be fixed by commenting off the bad line and then set  
named_write_master_zones to on.

Daniel, please, could someone from redhat fix the same bug in Fedora 11 ?

WHat is this script attempting to do?

The bind init script should not be changing these booleans.

Agree!

Someone puts these lines :
------------------------------------------------------
 # Enable/disable debugging
if [ "x$DEBUG" = 'xyes' ]; then
  chown named.named /var/named
  if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled &&
    [ `getsebool named_write_master_zones | awk '{ print $3; }'` = 'off' ]; then
      setsebool named_write_master_zones 1
  fi;
else
  chown root.named /var/named
  if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled &&
    [ `getsebool named_write_master_zones | awk '{ print $3; }'` = 'on' ]; then
      setsebool named_write_master_zones 0
  fi;
fi
----------------------------------------------------
to the bind init script in Fedora 11 (no "debugging section was present in Fedora 10 and previous).

IMO it should be removed.

Last update of bind at Fedora 11 broke my secondary name server again.

 PLEASE, could the maintainer of the bind package fix this stupid bug!? What is the purpose of redhat's bugzila, if no one cares?

bind-9.6.1-10.P3.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/bind-9.6.1-10.P3.fc11

bind-9.6.1-16.P3.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/bind-9.6.1-16.P3.fc12

The bug seems to be fixed, thanks.

bind-9.6.1-10.P3.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update bind'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2010-1186

bind-9.6.1-16.P3.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update bind'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1195

bind-9.6.1-10.P3.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

bind-9.6.1-16.P3.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Looks like it is fixed!

Even with 9.6.1-16.P3.f12 installed, I am getting this problem.


Summary:

SELinux is preventing the named daemon from writing to the zone directory

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux has denied the named daemon from writing zone files. Ordinarily, named
is not required to write to these files. Only secondary servers should be
required to write to these directories. If this machine is not a secondary
server, this could signal an intrusion attempt.

Allowing Access:

If you want named to run as a secondary server and accept zone transfers you
need to turn on the named_write_master_zones boolean: "setsebool -P
named_write_master_zones=1"

Fix Command:

setsebool -P named_write_master_zones=1

Additional Information:

Source Context                system_u:system_r:named_t:s0
Target Context                system_u:object_r:named_zone_t:s0
Target Objects                /var/named/chroot/var/named [ dir ]
Source                        named
Source Path                   /usr/sbin/named
Port                          <Unknown>
Host                          gold.cdkkt.com
Source RPM Packages           bind-9.6.1-16.P3.fc12
Target RPM Packages           bind-chroot-9.6.1-16.P3.fc12
Policy RPM                    selinux-policy-3.6.32-84.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   named_write_master_zones
Host Name                     gold.cdkkt.com
Platform                      Linux gold.cdkkt.com 2.6.31.12-174.2.3.fc12.i686
                              #1 SMP Mon Jan 18 20:22:46 UTC 2010 i686 i686
Alert Count                   1
First Seen                    Mon 15 Feb 2010 01:00:53 PM PST
Last Seen                     Mon 15 Feb 2010 01:00:53 PM PST
Local ID                      af76ff2a-7a9d-4aa1-be09-df3541fb6300
Line Numbers                  

Raw Audit Messages            

node=gold.cdkkt.com type=AVC msg=audit(1266267653.35:9): avc:  denied  { write } for  pid=1569 comm="named" name="named" dev=sdb10 ino=414387 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir

node=gold.cdkkt.com type=SYSCALL msg=audit(1266267653.35:9): arch=40000003 syscall=33 success=yes exit=0 a0=992e0b a1=2 a2=99b1ac a3=99fc20 items=0 ppid=1 pid=1569 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="named" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null)

What do I need to do?

(In reply to comment #18)
> What do I need to do?    

Have you tried to set named_write_master_zones SELinux boolean? ("setsebool -P named_write_master_zones=1"). Note that preferred location for secondary (slave) zones is /var/named/slaves/ directory and for DDNS zones it is /var/named/dynamic/ directory. Both directories are writable by named by default.

Dan the alert message told you what to do.

Detailed Description:

SELinux has denied the named daemon from writing zone files. Ordinarily, named
is not required to write to these files. Only secondary servers should be
required to write to these directories. If this machine is not a secondary
server, this could signal an intrusion attempt.

Allowing Access:

If you want named to run as a secondary server and accept zone transfers you
need to turn on the named_write_master_zones boolean: "setsebool -P
named_write_master_zones=1"

I have read this buglist in it's entirety and it
says not to use the setsebool line if your email
server is the master email server, as it is in
my case. I do not have a secondary e-mail server.

So, are you saying that I should run the setsebool cmd,
on the master email server?

There is no mention of email service in this bug?  Yes you need to run the command.  Your Bind/Named service is receiving zone files from another Named service, and trying to write the zone files to local disk.  At least for one zone this named is a secondary server to another domain.