Description of problem: BIND with bind-dyndb-ldap plugin needs write access to /var/named/dyndb-ldap directory. Version-Release number of selected component (if applicable): selinux-policy-3.12.1-119.fc20.noarch How reproducible: 100 % Steps to Reproduce: 1. Install bind with bind-dyndb-ldap build from https://github.com/spacekpe/bind-dyndb-ldap.git 2. Run named Actual results: SELinux is preventing /usr/sbin/named from write access on the directory dyndb-ldap. ***** Plugin catchall_boolean (89.3 confidence) suggests ****************** If you want to allow named to write master zones Then you must tell SELinux about this by enabling the 'named_write_master_zones' boolean. You can read 'None' man page for more details. Do setsebool -P named_write_master_zones 1 ***** Plugin catchall (11.6 confidence) suggests ************************** If you believe that named should be allowed write access on the dyndb-ldap directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep named /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Expected results: Write access is allowed. Additional info: It could be a new boolean but in that case we need means to enable such boolean during bind-dyndb-ldap package installation. I don't know if enabling named_write_master_zones boolean is okay, it is more generic. We need access only to sub-dir, but I don't insist on new boolean. Please guide me. Thank you!
Could you attach AVC info?
# grep named /var/log/audit/audit.log type=AVC msg=audit(1392726885.485:256): avc: denied { write } for pid=6943 comm="named" name="dyndb-ldap" dev="dm-1" ino=32655 scontext=system_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:named_zone_t:s0 tclass=dir type=SYSCALL msg=audit(1392726885.485:256): arch=c000003e syscall=83 success=no exit=-13 a0=7fbbea048f50 a1=1c0 a2=fe0 a3=fe items=0 ppid=6939 pid=6943 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 ses=4294967295 tty=(none) comm="named" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null) type=SERVICE_START msg=audit(1392726885.491:257): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="named" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' If you need any other information just tell me what to do. Thanks!
Miroslav, do you need something else? We would like to see new policy as soon as possible because it blocks us from releasing new bind-dyndb-ldap package to Fedora. Thank you!
Either # chcon -R -t named_cache_t /var/named/dyndb-ldap or you can activate the boolean in the scriptlet.
Okay, I will activate named_write_master_zones. Thank you for your help!