Bug 239149 - bind-chroot breaks dynamic DNS
Summary: bind-chroot breaks dynamic DNS
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: bind   
(Show other bugs)
Version: 6
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Adam Tkac
QA Contact: Ben Levenson
URL:
Whiteboard:
Keywords:
Depends On:
Blocks: 239802
TreeView+ depends on / blocked
 
Reported: 2007-05-05 11:08 UTC by Jeff Layton
Modified: 2014-06-18 07:36 UTC (History)
2 users (show)

Fixed In Version: 9.4.1-4.fc7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-06-08 15:59:26 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
proposed patch -- make chowning of master zonefiles contingent upon $ENABLE_ZONE_WRITE (1.10 KB, patch)
2007-05-05 11:45 UTC, Jeff Layton
no flags Details | Diff
proposed patch -- fix selinux_enabled and also fix chown'ing (1.96 KB, patch)
2007-05-05 12:47 UTC, Jeff Layton
no flags Details | Diff

Description Jeff Layton 2007-05-05 11:08:05 UTC
I've noticed that on package updates, when the bind package is updated that it
chowns all of the files in /var/named/chroot/var/named to root:named. This seems
to happen when /usr/sbin/bind-chroot-admin --enable is run.

I run my nameserver with dynamic DNS enabled. When this occurs, updates no
longer work. It seems like the chown'ing of the files in there to root:named
ought to be conditional on a setting of some sort.

Comment 1 Jeff Layton 2007-05-05 11:45:12 UTC
Created attachment 154199 [details]
proposed patch -- make chowning of master zonefiles contingent upon $ENABLE_ZONE_WRITE

This patch seems to correct it and I think it should be what we want. This
makes the user to which qw chown the zonefiles in /var/named and
${BIND_CHROOT_PREFIX}/var/named vary depending upon whether $ENABLE_ZONE_WRITE
is set.

Comment 2 Jeff Layton 2007-05-05 12:47:42 UTC
Created attachment 154200 [details]
proposed patch -- fix selinux_enabled and also fix chown'ing

This patch should also fix the problem and more correctly. It adds a new
function to detect whether master zone writes are enabled based on selinux
settings. If selinux isn't enabled then it falls back to using
$ENABLE_ZONE_WRITES.

This also fixes what appears to be a bug in this script. The return codes for
the selinuxenabled command are actually reversed (it returns 0 for true).

Comment 3 Adam Tkac 2007-05-22 15:28:51 UTC
Could be fixed in bind-9.3.4-5.fc6. Thanks for patch

Regards, Adam

Comment 4 Adam Tkac 2007-06-04 10:22:39 UTC
After next thinking I'm changing policy in rawhide. Please see
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=241872#c1 for reasons. In
the future only /var/named/slaves directory is for slave zones.

Regards, Adam

Comment 5 Jeff Layton 2007-06-04 10:50:48 UTC
I'm not sure I understand your last comment. Do you mean that you're backing out
this change and that if I want a writable master zone that I should put it in
/var/named/slaves?


Comment 6 Adam Tkac 2007-06-04 10:53:02 UTC
Yeah. I think this could be the best solution, isn't it?

Comment 7 Adam Tkac 2007-06-04 10:54:07 UTC
But only in Fedora-rawhide, Fedora <= 7 will be unafected with this change

Comment 8 Adam Tkac 2007-06-04 10:56:14 UTC
Hm, wait. We're talking about dynamic DNS, not about slave DNS. Let me check it

-A-

Comment 9 Jeff Layton 2007-06-04 11:14:40 UTC
What might be best actually is to make a separate directory for master zones
(i.e. /var/named/master). Then you won't need to make /var/named be owned by
named at all. That probably means selinux policy changes, etc, but I think that
might be the best solution.


Comment 10 Fedora Update System 2007-06-08 15:59:11 UTC
bind-9.4.1-4.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.