Bug 239149 - bind-chroot breaks dynamic DNS
bind-chroot breaks dynamic DNS
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: bind (Show other bugs)
6
All Linux
medium Severity medium
: ---
: ---
Assigned To: Adam Tkac
Ben Levenson
:
Depends On:
Blocks: 239802
  Show dependency treegraph
 
Reported: 2007-05-05 07:08 EDT by Jeff Layton
Modified: 2014-06-18 03:36 EDT (History)
2 users (show)

See Also:
Fixed In Version: 9.4.1-4.fc7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-06-08 11:59:26 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
proposed patch -- make chowning of master zonefiles contingent upon $ENABLE_ZONE_WRITE (1.10 KB, patch)
2007-05-05 07:45 EDT, Jeff Layton
no flags Details | Diff
proposed patch -- fix selinux_enabled and also fix chown'ing (1.96 KB, patch)
2007-05-05 08:47 EDT, Jeff Layton
no flags Details | Diff

  None (edit)
Description Jeff Layton 2007-05-05 07:08:05 EDT
I've noticed that on package updates, when the bind package is updated that it
chowns all of the files in /var/named/chroot/var/named to root:named. This seems
to happen when /usr/sbin/bind-chroot-admin --enable is run.

I run my nameserver with dynamic DNS enabled. When this occurs, updates no
longer work. It seems like the chown'ing of the files in there to root:named
ought to be conditional on a setting of some sort.
Comment 1 Jeff Layton 2007-05-05 07:45:12 EDT
Created attachment 154199 [details]
proposed patch -- make chowning of master zonefiles contingent upon $ENABLE_ZONE_WRITE

This patch seems to correct it and I think it should be what we want. This
makes the user to which qw chown the zonefiles in /var/named and
${BIND_CHROOT_PREFIX}/var/named vary depending upon whether $ENABLE_ZONE_WRITE
is set.
Comment 2 Jeff Layton 2007-05-05 08:47:42 EDT
Created attachment 154200 [details]
proposed patch -- fix selinux_enabled and also fix chown'ing

This patch should also fix the problem and more correctly. It adds a new
function to detect whether master zone writes are enabled based on selinux
settings. If selinux isn't enabled then it falls back to using
$ENABLE_ZONE_WRITES.

This also fixes what appears to be a bug in this script. The return codes for
the selinuxenabled command are actually reversed (it returns 0 for true).
Comment 3 Adam Tkac 2007-05-22 11:28:51 EDT
Could be fixed in bind-9.3.4-5.fc6. Thanks for patch

Regards, Adam
Comment 4 Adam Tkac 2007-06-04 06:22:39 EDT
After next thinking I'm changing policy in rawhide. Please see
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=241872#c1 for reasons. In
the future only /var/named/slaves directory is for slave zones.

Regards, Adam
Comment 5 Jeff Layton 2007-06-04 06:50:48 EDT
I'm not sure I understand your last comment. Do you mean that you're backing out
this change and that if I want a writable master zone that I should put it in
/var/named/slaves?
Comment 6 Adam Tkac 2007-06-04 06:53:02 EDT
Yeah. I think this could be the best solution, isn't it?
Comment 7 Adam Tkac 2007-06-04 06:54:07 EDT
But only in Fedora-rawhide, Fedora <= 7 will be unafected with this change
Comment 8 Adam Tkac 2007-06-04 06:56:14 EDT
Hm, wait. We're talking about dynamic DNS, not about slave DNS. Let me check it

-A-
Comment 9 Jeff Layton 2007-06-04 07:14:40 EDT
What might be best actually is to make a separate directory for master zones
(i.e. /var/named/master). Then you won't need to make /var/named be owned by
named at all. That probably means selinux policy changes, etc, but I think that
might be the best solution.
Comment 10 Fedora Update System 2007-06-08 11:59:11 EDT
bind-9.4.1-4.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.