149572 – named init script makes /var/named unwritable - selinux

Bug 149572 - named init script makes /var/named unwritable - selinux

Summary: named init script makes /var/named unwritable - selinux

Keywords:
Status:	CLOSED DUPLICATE of bug 145664
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	bind
Sub Component:
Version:	3
Hardware:	i686
OS:	Linux
Priority:	medium
Severity:	low
Target Milestone:	---
Assignee:	Jason Vas Dias
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-02-24 00:01 UTC by Trevor Cordes
Modified:	2007-11-30 22:11 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2006-02-21 19:08:13 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Trevor Cordes 2005-02-24 00:01:54 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

Description of problem:
I was getting strange errors where dynamic DNS records were not being updated when new Windows clients connected to my samba network. I determined that the permissions on /var/named were incorrect. They were root:named 750 when they should be named:named 750. Since it was not writable, named could not associate WINS names with the DNS entries and I had subtle network issues because of it.

Lines 49-52 in /etc/init.d/named are to blame. They must be fairly new as this never occurred before about a month ago.

It is obvious from the source script that named_write_master_zones should be set to 1 in /etc/selinux/*/booleans.

I use selinux in WARN-only mode. Since the above lines are most likely an addition to BIND just for selinux's sake, then shouldn't the default be permissive, especially if selinux is in WARN mode? Quietly changing the perms on /var/named because of some other piece of software is bad form, no? The solution is not readily apparent and most likely there is no mention of named_write_master_zones in man named*!

Version-Release number of selected component (if applicable):
bind-9.2.4-8_FC3 selinux-policy-targeted-1.17.30-2.75

How reproducible:
Always

Steps to Reproduce:
1. turn on selinux (warn mode will suffice)
2. service named restart
3.

Actual Results: /var/named permissions do not allow writes by named and some functions of named fail.

Expected Results: It should not change the permissions/ownership by default.

Additional info:

Comment 1 Jason Vas Dias 2005-02-25 19:55:56 UTC

This is now fixed in bind-9.2.5rc1-1 (FC3) / bind-9.3.1rc1-1 (FC4).

If SELinux is not disabled, the setting of 'named_write_master_zones'
will determine whether $ROOTDIR/var/named has ownership named:named
(named_write_master_zones=1) or root:named (named_write_master_zones=0).

If SELinux is disabled, if the variable 'ENABLE_ZONE_WRITE' is 
set to 'yes'/'1' in /etc/sysconfig/named, then the ownership 
of  $ROOTDIR/var/named is set to named:named; if  'ENABLE_ZONE_WRITE'
is set to 'no'/'0', the ownership of  $ROOTDIR/var/named is set to
root:named; if ENABLE_ZONE_WRITE is not set, the ownership of
$ROOTDIR/var/named is unchanged. 

This automatic setting of the $ROOTDIR/var/named was to minimise
the impact of the change of ownership of $ROOTDIR/var/named to
root:root to counter known security vulnerabilities as mandated 
by our security response team.

Now, with SELinux, DDNS and slave zone writes can be enabled through
use of the system-config-security GUI only, without extra steps 
having to be taken by the administrator to set the ownership of the
/var/named directory.


*** This bug has been marked as a duplicate of 145664 ***

Comment 2 Red Hat Bugzilla 2006-02-21 19:08:13 UTC

Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.

Note You need to log in before you can comment on or make changes to this bug.