Description of problem: I have named (bind) and dhcpd configured to perform dynamic dns updates. With selinux in enforcing mode, I need to enable named for writing master zones. Now to support dynamic dns updating from dhcpd, named creates and updates "___.jnl" files for each zone being handled but does not modify the actual files which define the base zone information. To have this work with selinx, I need to set the named_write_master_zones boolean which (if I understand correctly) enables it to modify any of the zone files whereas I only want it to create and update the .jnl files. This level of granularity should be supported. I have made this an RFE although I could also consider it a bug.
also see https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=141800
Actually, the .jnl files are just a place to store incoming DDNS updates, which are then "flushed" periodically or by the "rndc flush" command : ie. the updates are merged with the existing zone file contents and the zone file is replaced with the updated zone . So I can't see any point to enabling .jnl file write without also enabling zone file write: doing so would make all updates impermanen t with the same lifetime as the current named instance. If these 'impermanent updates' are what you want, the same result could be achieved by making the original zone files read-only.
Thanks for the information. I was not aware that the updates were merged into the regular zone files. With this understanding, I am closing the report.
Actually, the above is not quite the full story. See: file:///usr/share/doc/bind-9.2.4/arm/Bv9ARM.ch04.html#dynamic_update file:///usr/share/doc/bind-9.3.0/arm/Bv9ARM.ch03.html#AEN347 In BIND-9.2.4, the .jnl updates are merged with the master zone only on name server shutdown / startup. In BIND-9.3.0, there is now the 'rndc freeze' command, which merges in the updates and disables DDNS for a zone, and the 'rndc unfreeze' command, which re-enables DDNS for a zone.