From Bugzilla Helper: User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.5) Gecko/20041201 Camino/0.8.2 Description of problem: selinux prevents chroot-bind from creating zone files Version-Release number of selected component (if applicable): selinux-policy-targeted-1.17.30-2.68 libselinux-1.19.1-8 How reproducible: Always Steps to Reproduce: 1.yum installed bind and caching-named 2.yum installed chroot-bind 3.modified /etc/named.conf to be slave for specific internal zones 4. start bind .... no makey zone file DENIED Actual Results: selinux prevents creation of temp files and zone files Additional info: I followed Mr. Coker advice and used audit2allow to determine the needed changes. I then added the following lines allow named_t named_conf_t:dir write; allow named_t named_conf_t:file create; allow named_t named_conf_t:dir add_name; allow named_t named_conf_t:dir remove_name; allow named_t named_conf_t:file write; allow named_t named_conf_t:file rename; to /etc/selinux/targeted/src/policy/domains/misc/custom.te and running "make -C /etc/selinux/targeted/src/policy load" fixes it.
Jan 11 08:52:51 localhost kernel: audit(1105462371.194:0): avc: denied { write } for pid=26468 exe=/usr/sbin/named name=named dev=md3 ino=1277967 scontext=root:system_r:named_t tcontext=system_u:object_r:named_zone_t tclass=dir Jan 11 08:53:38 localhost kernel: audit(1105462418.199:0): avc: denied { write } for pid=26468 exe=/usr/sbin/named name=named dev=md3 ino=1277967 scontext=root:system_r:named_t tcontext=system_u:object_r:named_zone_t tclass=dir Jan 11 08:55:37 localhost kernel: audit(1105462537.204:0): avc: denied { write } for pid=26468 exe=/usr/sbin/named name=named dev=md3 ino=1277967 scontext=root:system_r:named_t tcontext=system_u:object_r:named_zone_t tclass=dir Jan 11 08:58:49 localhost kernel: audit(1105462729.204:0): avc: denied { write } for pid=26468 exe=/usr/sbin/named name=named dev=md3 ino=1277967 scontext=root:system_r:named_t tcontext=system_u:object_r:named_zone_t tclass=dir
There is a boolean to turn on this functionality named_write_master_zones You can use system-config-securitylevel to view/modify all booleans. Or you can turn it on permanently with setsebool -P named_write_master_zones 1