+++ This bug was initially created as a clone of Bug #1572647 +++ Description of problem: /var/named is not writeable unless named_write_master_zones is set. /var/named should have type named_cache_t instead of named_zone_t. Version-Release number of selected component (if applicable): selinux-policy-3.14.1-21.fc28.noarch Additional info: Traditionally our configuration did not allow bind writing into default home /var/named. This is protected also by selinux policy. Special subdirectories for writing are created: /var/named/{data,dynamic,slaves}. Policy allows named_exec_t binary (named) to write only to named_cache_t. Writing to named_zone_t is possible only when setsetbool named_write_master_zones on is called. For some reason this is already automatically exploited by bind-dyndb-ldap package, which sets named_write_master_zones on installation and disables on uninstallation. I think this requires /var/named/dyndb-ldap to be named_cache_t instead. It is common to maintain DNSSEC signatures also in master zones from BIND. Static zones that are never modified by daemon are no longer dominant. I think writeable /var/named should be enabled by default. In that case named_write_master_zones would be obsolete and named_cache_t should be used instead of named_zone_t for whole /var/named, where named_zone_t were used before. Block bug #1422680 [1] https://bugs.isc.org/Public/Bug/Display.html?id=46242 --- Additional comment from Petr Menšík on 2018-04-27 16:09:38 CEST --- I think it would be sufficient to leave protection of non-writeable zones to unix rights. Because dac_override is not granted, it should be secure enough. Product security agreed with that.
commit f0c5a683216a296b2944f9274cafc5b223205f0c Author: Lukas Vrabec <lvrabec> Date: Fri Oct 12 16:11:54 2018 +0200 Turn named_write_master_zones boolean on by default.