Red Hat Bugzilla – Bug 126638
Permissions for /var/named set by BIND RPM conflict with DDNS
Last modified: 2007-11-30 17:10:45 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040510
Description of problem:
When the bind RPM is installed it sets the ownership and permissions
on /var/named using the line '%attr(750,root,named) %dir /var/named'
in the spec file. Since named runs as the user named, named does not
have write access to /var/named. However, named needs write access to
/var/named in order to create the journal files it uses for dynamic DNS.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Install bind, configure it for dynamic dns, and start it (named)
2. Install dhcp, configure it for dynamic dns, and start it (dhcpd).
3. Have a client make a DHCP request.
4. Stop bind (named).
Actual Results: named did not create *.jnl files for the zone files
that need to be updated by dynamic DNS.
Expected Results: named should have created the *.jnl files for the
zones that needed to be updated by dynamic DNS.
Can't you setup these journal files to be in a subdirectory of named
with the appropriate privs?
I do not know of anyway to do this. BIND creates the *.jnl files
automatically in its working directory, which is specified by the
'directory' option in /etc/named.conf. The working directory is the
same directory that contains the zone files and it is configured to by
'/var/named' by the /etc/named.conf file installed by the
caching-nameserver RPM. I do not know of any option to set the path
for the *.jnl files separate from the path for the working directory.
Feeding the google search: The error message you'll see in
dumping master file: tmp-XXXXPyA987: open: permission denied
zone my.domain.name/IN: dump failed: permission denied
*** Bug 112350 has been marked as a duplicate of this bug. ***
This is now fixed with selinux-policy-targeted-1.17.4-1 .
You may need to do:
chown named:named /var/named
The ownership of this directory was changed to root:root
in bind-9.2.3-13 as a security measure.