Bug 699759
| Summary: | SElinux Policy Blocking BIND 9.7 Zone File Write | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Jonathan Loeffler <jonathan.loeffler.1> | ||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
| Status: | CLOSED WORKSFORME | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 5.6 | CC: | dwalsh, jonathan.loeffler.1 | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2011-04-27 06:17:47 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
This looks like you have some files mislabelled? # restorecon -R -v /var/named You probably need to turn on the named_write_master_zones boolean also. # setsebool -P named_write_master_zones 1 (In reply to comment #1) > This looks like you have some files mislabelled? > > # restorecon -R -v /var/named > > > > You probably need to turn on the named_write_master_zones boolean also. > > # setsebool -P named_write_master_zones 1 I changed all of my zones file locations over to the /var/named folder and then issued the selinux boolean command and all appears to be well. This is not a bug. Bind was trying to write to the etc directory when it should have been writing to the /var/named directory. This is not a bug just a misunderstanding to selinux and how bind works as a slave. problem solved. Thanks, -Jon |
Created attachment 494934 [details] Selinux debug Description of problem: When trying to reload zones on a freshly configured bind name server it appears that when a zone file is being downloaded from the master server selinux denies the write to the zones directory. Version-Release number of selected component (if applicable): bind version 9.7.0-p2-redhat-9.7.0-6.p2.e15 rhel 5.6 kernel 2.6.18-238.9.1.e15 How reproducible: This appears to happen every time my master DNS server sends a notify to the secondary (slave) server and the secondary attempts to download the changed zone file. Steps to Reproduce: 1. Change zone on primary server 2. Reload changed zone on primary 3. tail -f /var/log/messages Actual results: Zones are not transferred from the master. Expected results: Zone files should be written to my zones folder within /etc/named Additional info: SELinux is preventing named (named_t) "write" to ./zones (etc_t). I have already tried the suggested fix action that SELinux recommends and it doesn't appear to be working. This may be a bug. Both machines have been fully patched and are running the latest bind available. Please see attached debug output.