What version of the 'selinux-policy-targeted' rpm do you have ?
 # rpm -q selinux-policy-targeted
This package must be installed whether selinux is enabled or not,
and will create a file called /etc/selinux/policy/targeted/booleans
which must contain a line like:
  'named_write_master_zones=0
  '
Please append the contents of your /etc/selinux/policy/targeted/booleans
file to this bug - thanks.

It is possible if you installed a very early version of FC3 and then
upgraded that the 'selinux-policy-targeted' package would upgrade 
its /etc/selinux/policy/targeted/booleans file by creating a 
/etc/selinux/policy/targeted/booleans.rpmsave file - this would contain
the named_write_master_zones setting that you evidently lack .  Doing:
  # mv /etc/selinux/policy/targeted/booleans.rpmsave \
       /etc/selinux/policy/targeted/booleans
should fix the problem.

That should have been:
  # mv /etc/selinux/policy/targeted/booleans.rpmnew \
       /etc/selinux/policy/targeted/booleans

Created attachment 110039 [details]
/etc/selinux/targeted/booleans per comment 1

Comment 1:  selinux-policy-targeted-1.17.30-2.72
My path is /etc/selinux/targeted/booleans.  There is only policy.18 in
/etc/selinux/targeted/policy/.

Comment 2:  There was an rpmnew file in a couple of the subdirectories
that I have mv'd over the old ones.

ok.  I think I found my problem.  The /etc/sysconfig/selinux file had
SELINUX set to disabled and SELINUXTYPE set to strict.  There was no
booleans file in the /et/selinux/strict directory.  I modified the
SELINUXTYPE to targeted and the error goes away.

OK - I was under the impression that both strict and targetted policy
had 'named_write_master_zones' - it seems that strict does not.
This problem will be fixed in the next bind release, with this patch:


--- named.init.~1.20.~  2005-01-14 13:03:51.000000000 -0500
+++ named.init  2005-01-24 17:09:46.489128000 -0500
@@ -46,11 +46,13 @@
            .  /etc/selinux/config
            if [ "$SELINUXTYPE" != "" ] && [ -d
/etc/selinux/${SELINUXTYPE} ] && [ -e
/etc/selinux/${SELINUXTYPE}/booleans  ]; then
               . /etc/selinux/${SELINUXTYPE}/booleans
-              if [ "$named_write_master_zones" -eq 1 ] ; then
-                   /bin/chown -f --from=root:named named:named
$ROOTDIR/var/named
-              elif [ "$named_write_master_zones" -eq 0 ] ; then
-                   /bin/chown -f --from=named:named root:named
$ROOTDIR/var/named
-              fi;
+              if echo "$named_write_master_zones" | /bin/egrep -q
'^[0-9]+$'; then
+                  if [ "$named_write_master_zones" -eq 1 ] ; then
+                      /bin/chown -f --from=root:named named:named
$ROOTDIR/var/named
+                  elif [ "$named_write_master_zones" -eq 0 ] ; then
+                      /bin/chown -f --from=named:named root:named
$ROOTDIR/var/named
+                  fi;
+               fi;
           fi;
         fi;
         conf_ok=0;

*** Bug 147073 has been marked as a duplicate of this bug. ***

My expectation is that an SELINUX setting of "disabled" would
override, and should be tested for before checking
SELINUXTYPE.

Man selinux:

   The SELINUX variable may be set to any one of 
   disabled, permissive, or enforcing to select one
   of these options. The disabled option completely
   disables the SELinux kernel and *application code*,

The functionality in the /etc/init.d/named script has nothing to do
with whether SELinux is enabled or not. It is there to ensure that
if the user has enabled dynamic dns updates, then the $ROOTDIR/var/named
directory will have the right ownership to enable DDNS to succeed . 
If the user has not set the 'named_write_master_zones' boolean to 1, 
then DDNS is disabled; if set to 1, then the ownership of the 
$ROOTDIR/var/named directory must be named:named to allow DDNS updates
to succeed.

Isn't the script making behavior decisions by reading
configuration settings out of an unintended policy file,
ignoring where the overall configuration says, very
specifically, that that policy, and any of its settings,
is not in effect?

It's an accidental test, whether the policy file happens
to exist in the right spot in the file system, not whether
the user intends and has specified the policy and its
settings to be implemented.

If you are reading SELinux configuration settings to make
decisions about behavior, you can't merely assert it has
nothing to do with whether SELinux is enabled.  

OK, I'll fix this in the next version: if ${SELINUX} is unset or
"disabled", then if the 'ENABLE_DDNS' variable is set in 
/etc/sysconfig/named, the $ROOTDIR/var/named permissions will be
set accordingly.  

*** Bug 149572 has been marked as a duplicate of this bug. ***

This is now fixed in bind-9.2.5rc1-1 (FC3) / bind-9.3.1rc1-1 (FC4).

If SELinux is not disabled, the setting of 'named_write_master_zones'
will determine whether $ROOTDIR/var/named has ownership named:named
(named_write_master_zones=1) or root:named (named_write_master_zones=0).

If SELinux is disabled, if the variable 'ENABLE_ZONE_WRITE' is 
set to 'yes'/'1' in /etc/sysconfig/named, then the ownership 
of  $ROOTDIR/var/named is set to named:named; if  'ENABLE_ZONE_WRITE'
is set to 'no'/'0', the ownership of  $ROOTDIR/var/named is set to
root:named; if ENABLE_ZONE_WRITE is not set, the ownership of
$ROOTDIR/var/named is unchanged. 

This automatic setting of the $ROOTDIR/var/named was to minimise
the impact of the change of ownership of $ROOTDIR/var/named to
root:root to counter known security vulnerabilities as mandated 
by our security response team.

Now, with SELinux, DDNS and slave zone writes can be enabled through
use of the system-config-security GUI only, without extra steps 
having to be taken by the administrator to set the ownership of the
/var/named directory.

*** Bug 147824 has been marked as a duplicate of this bug. ***