Bug 141800 - Selinux denies named creating jnl files for dynamic update.
Selinux denies named creating jnl files for dynamic update.
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
3
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-12-03 15:46 EST by Niels Basjes
Modified: 2007-11-30 17:10 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-12-04 10:57:53 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Niels Basjes 2004-12-03 15:46:28 EST
Description of problem:
I have migrated an existing bind configuration that uses dynamic
updates from the isc dhcp server to FC3.
The problem is that the selinux security settings for /var/named do
not allow the named server to create journalling files used for
dynamic updates.

Version-Release number of selected component (if applicable):
bind-9.2.4-2 and dhcp-3.0.1-11

How reproducible:

The initial situation is that the journaling files do not yet exist.
So the content of /var/named is:

drwxr-x---  named    named    system_u:object_r:named_zone_t   ./
drwxr-xr-x  root     root     system_u:object_r:var_t          ../
-rw-------  named    named    system_u:object_r:named_zone_t  
0.0.127.in-addr.arpa.zone
-rw-------  named    named    system_u:object_r:named_zone_t  
13.21.172.in-addr.arpa.zone
-rw-------  named    named    system_u:object_r:named_zone_t  
14.21.172.in-addr.arpa.zone
-rw-------  named    named    system_u:object_r:named_zone_t  
basjes.nl.zone
drwx------  named    named    system_u:object_r:named_cache_t  data/
-rw-------  named    named    system_u:object_r:named_zone_t  
localhost.zone
-rw-------  named    named    system_u:object_r:named_conf_t   named.ca
-rw-------  named    named    system_u:object_r:named_zone_t   named.local
drwx------  named    named    system_u:object_r:named_cache_t  slaves/


If a host requests an IP address the /var/log/messages shows these lines:
Dec  3 21:16:03 home named[1662]: client 172.21.13.10#33286: updating
zone 'basjes.nl/IN': adding an RR
Dec  3 21:16:03 home named[1662]: client 172.21.13.10#33286: updating
zone 'basjes.nl/IN': adding an RR
Dec  3 21:16:03 home named[1662]: journal file basjes.nl.zone.jnl does
not exist, creating it
Dec  3 21:16:03 home named[1662]: basjes.nl.zone.jnl: create:
permission denied
Dec  3 21:16:03 home named[1662]: client 172.21.13.10#33286: updating
zone 'basjes.nl/IN': error: journal open failed: unexpected error
Dec  3 21:16:03 home kernel: audit(1102104963.012:0): avc:  denied  {
write } for  pid=1663 exe=/usr/sbin/named name=named dev=hda3
ino=803658 scontext=root:system_r:named_t
tcontext=system_u:object_r:named_zone_t tclass=dir
Dec  3 21:16:03 home dhcpd: Unable to add forward map from
flyer.basjes.nl to 172.21.13.4: timed out

Now (just as a test!) I do: chcon system_u:object_r:named_cache_t
/var/named
Followed by : service named restart

Now if the same host tries to get an IP again I see this in
/var/log/messages:
Dec  3 21:24:49 home named[1758]: client 172.21.13.10#33293: updating
zone 'basjes.nl/IN': adding an RR
Dec  3 21:24:49 home named[1758]: client 172.21.13.10#33293: updating
zone 'basjes.nl/IN': adding an RR
Dec  3 21:24:49 home named[1758]: journal file basjes.nl.zone.jnl does
not exist, creating it
Dec  3 21:24:49 home dhcpd: Added new forward map from flyer.basjes.nl
to 172.21.13.4
Dec  3 21:24:49 home named[1758]: client 172.21.13.10#33293: updating
zone '13.21.172.in-addr.arpa/IN': deleting an rrset
Dec  3 21:24:49 home named[1758]: client 172.21.13.10#33293: updating
zone '13.21.172.in-addr.arpa/IN': adding an RR
Dec  3 21:24:49 home dhcpd: added reverse map from
4.13.21.172.in-addr.arpa. to flyer.basjes.nl

Now in /var/named I find a new file:
-rw-r--r--   1 root:object_r:named_cache_t      named named  785 Dec 
3 21:24 basjes.nl.zone.jnl

Note that if I restore the contexts the result is that named runs into
a lot of avc errors again.  
restorecon /var/named/ /var/named/*

My conclusion: The selinux settings for /var/named seem to be too
strict on this point.
Comment 1 Niels Basjes 2004-12-03 16:26:54 EST
Additional info:

After a while I also get these messages:

Dec  3 22:21:35 home named[2329]: dumping master file: rename:
basjes.nl.zone: permission denied
Dec  3 22:21:35 home named[2329]: zone basjes.nl/IN: dump failed:
permission denied
Dec  3 22:21:35 home kernel: audit(1102108895.894:0): avc:  denied  {
unlink } for  pid=2330 exe=/usr/sbin/named name=basjes.nl.zone
dev=hda3 ino=803923 scontext=root:system_r:named_t
tcontext=system_u:object_r:named_zone_t tclass=file

The directory /var/named is filling with temporary files and now looks
like this:
drwxr-x---   4 system_u:object_r:named_cache_t  named named 4096 Dec 
3 22:21 ./
drwxr-xr-x  24 system_u:object_r:var_t          root  root  4096 Nov 
9 09:26 ../
-rw-------   1 system_u:object_r:named_zone_t   named named  180 Nov
14 20:58 0.0.127.in-addr.arpa.zone
-rw-------   1 system_u:object_r:named_zone_t   named named  652 Nov
14 22:45 13.21.172.in-addr.arpa.zone
-rw-------   1 system_u:object_r:named_zone_t   named named  467 Nov
14 20:58 14.21.172.in-addr.arpa.zone
-rw-------   1 system_u:object_r:named_zone_t   named named 1402 Dec 
3 20:54 basjes.nl.zone
-rw-r--r--   1 system_u:object_r:named_zone_t   named named  785 Dec 
3 21:24 basjes.nl.zone.jnl
drwx------   2 system_u:object_r:named_cache_t  named named 4096 Oct
18 23:17 data/
-rw-------   1 system_u:object_r:named_zone_t   named named  171 Nov
14 22:43 localhost.zone
-rw-------   1 system_u:object_r:named_conf_t   named named 2769 Nov
14 22:43 named.ca
-rw-------   1 system_u:object_r:named_zone_t   named named  433 Nov
14 22:43 named.local
drwx------   2 system_u:object_r:named_cache_t  named named 4096 Oct
18 23:17 slaves/
-rw-------   1 root:object_r:named_cache_t      named named 1473 Dec 
3 21:42 tmp-XXXX7qm856
-rw-------   1 root:object_r:named_cache_t      named named 1473 Dec 
3 21:47 tmp-XXXXDK2Drh
-rw-------   1 root:object_r:named_cache_t      named named 1473 Dec 
3 22:06 tmp-XXXXJrxV6d
-rw-------   1 root:object_r:named_cache_t      named named 1473 Dec 
3 21:27 tmp-XXXXqfuaz3
-rw-------   1 root:object_r:named_cache_t      named named 1473 Dec 
3 21:27 tmp-XXXXxQUs8D
-rw-------   1 root:object_r:named_cache_t      named named 1473 Dec 
3 21:51 tmp-XXXXzqyerd
-rw-------   1 root:object_r:named_cache_t      named named 1473 Dec 
3 22:21 tmp-XXXXZsIsiP


Comment 2 Niels Basjes 2004-12-03 16:34:42 EST
I forgot to mention I currently have
selinux-policy-targeted-1.17.30-2.40 installed.
Comment 3 Daniel Walsh 2004-12-04 10:39:52 EST
try setting the named_write_master_zones boolean.

setsebool -P named_write_master_zones 1

Or you can use system-config-securitylevel to do it.

Dan
Comment 4 Niels Basjes 2004-12-04 10:57:53 EST
Thanks, that solved the problem for me.
I changed this 'bug' report to NOTABUG.
Comment 5 Eugene Kanter 2005-05-21 23:21:08 EDT
(In reply to comment #3)
Dan,
in bind-chroot-9.2.5-1 the /var/named/chroot/var/named folder is owned by root 
and not named. To make named update zone I had to chown the folder first. Is
this a bug?

Note You need to log in before you can comment on or make changes to this bug.