Bug 518749 - SELinux is preventing the named daemon from writing to the zone directory
SELinux is preventing the named daemon from writing to the zone directory
Status: CLOSED DUPLICATE of bug 495211
Product: Fedora
Classification: Fedora
Component: bind (Show other bugs)
11
All Linux
low Severity urgent
: ---
: ---
Assigned To: Adam Tkac
Fedora Extras Quality Assurance
: Reopened
: 518175 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-08-22 05:51 EDT by Eddie Lania
Modified: 2013-04-30 19:44 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-16 11:41:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Named_t denials from audit log. (91.74 KB, text/plain)
2009-08-27 09:26 EDT, Eddie Lania
no flags Details

  None (edit)
Description Eddie Lania 2009-08-22 05:51:53 EDT
Description of problem:SELinux is preventing the named daemon from writing to the zone directory. I use the bind-chroot package. I have placed the dynamic zones in the "/var/named/chroot/var/named/dynamic" directory.

It is not clear to me if bind-chroot and selinux can't work together. When using selinux, should bind-chroot be removed? also see bug 518175 and bug 510283.


Version-Release number of selected component (if applicable):
bind-utils-9.6.1-4.P1.fc11.i586
bind-libs-9.6.1-4.P1.fc11.i586
bind-chroot-9.6.1-4.P1.fc11.i586
bind-9.6.1-4.P1.fc11.i586

How reproducible: Setup bind-chroot and dhcp to do dynamic updates and enable SELinux.


Steps to Reproduce:
1.
2.
3.
  
Actual results:

SELinux is preventing the named daemon from writing to the zone directory For complete SELinux messages. run sealert -l aadb6582-fe06-4613-afff-bfe22b31f6fc

SELinux is preventing named (named_t) "remove_name" named_zone_t. For complete SELinux messages. run sealert -l f52a5346-d236-4cff-ac85-94c839bb864b



Expected results: Setting up bind-chroot to write dynamic updates to the dynamic directory under /var/named/chroot/var/named not to cause the SELinux messages as described above.


Additional info:

Summary:

SELinux is preventing the named daemon from writing to the zone directory

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux has denied the named daemon from writing zone files. Ordinarily, named
is not required to write to these files. Only secondary servers should be
required to write to these directories. If this machine is not a secondary
server, this could signal a intrusion attempt.

Allowing Access:

If you want named to run as a secondary server and accept zone transfers you
need to turn on the named_write_master_zones boolean: "setsebool -P
named_write_master_zones=1"

Fix Command:

setsebool -P named_write_master_zones=1

Additional Information:

sealert -l aadb6582-fe06-4613-afff-bfe22b31f6fc

Source Context                unconfined_u:system_r:named_t:s0
Target Context                unconfined_u:object_r:named_zone_t:s0
Target Objects                /var/named/chroot/var/named/dynamic [ dir ]
Source                        named
Source Path                   /usr/sbin/named
Port                          <Unknown>
Host                          ls2ka.elton-intra.net
Source RPM Packages           bind-9.6.1-4.P1.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-72.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   named_write_master_zones
Host Name                     ls2ka.elton-intra.net
Platform                      Linux ls2ka.elton-intra.net
                              2.6.29.6-217.2.7.fc11.i686.PAE #1 SMP Fri Aug 14
                              20:52:46 EDT 2009 i686 i686
Alert Count                   8
First Seen                    Sat Aug 22 06:57:39 2009
Last Seen                     Sat Aug 22 09:12:16 2009
Local ID                      aadb6582-fe06-4613-afff-bfe22b31f6fc
Line Numbers                  

Raw Audit Messages            

node=ls2ka.elton-intra.net type=AVC msg=audit(1250925136.131:51921): avc:  denied  { write } for  pid=23117 comm="named" name="dynamic" dev=sda2 ino=1564074 scontext=unconfined_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:named_zone_t:s0 tclass=dir

node=ls2ka.elton-intra.net type=AVC msg=audit(1250925136.131:51921): avc:  denied  { add_name } for  pid=23117 comm="named" name="tmp-Bd6vNAwxpJ" scontext=unconfined_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:named_zone_t:s0 tclass=dir

node=ls2ka.elton-intra.net type=AVC msg=audit(1250925136.131:51921): avc:  denied  { create } for  pid=23117 comm="named" name="tmp-Bd6vNAwxpJ" scontext=unconfined_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:named_zone_t:s0 tclass=file

node=ls2ka.elton-intra.net type=AVC msg=audit(1250925136.131:51921): avc:  denied  { write } for  pid=23117 comm="named" name="tmp-Bd6vNAwxpJ" dev=sda2 ino=1562011 scontext=unconfined_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:named_zone_t:s0 tclass=file

node=ls2ka.elton-intra.net type=SYSCALL msg=audit(1250925136.131:51921): arch=40000003 syscall=5 success=yes exit=8 a0=b4459510 a1=c2 a2=1b6 a3=b445951c items=0 ppid=1 pid=23117 auid=0 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=1236 comm="named" exe="/usr/sbin/named" subj=unconfined_u:system_r:named_t:s0 key=(null)



sealert -l f52a5346-d236-4cff-ac85-94c839bb864b

Summary:

SELinux is preventing named (named_t) "remove_name" named_zone_t.

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by named. It is not expected that this access is
required by named and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:system_r:named_t:s0
Target Context                unconfined_u:object_r:named_zone_t:s0
Target Objects                tmp-Bd6vNAwxpJ [ dir ]
Source                        named
Source Path                   /usr/sbin/named
Port                          <Unknown>
Host                          ls2ka.elton-intra.net
Source RPM Packages           bind-9.6.1-4.P1.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-72.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     ls2ka.elton-intra.net
Platform                      Linux ls2ka.elton-intra.net
                              2.6.29.6-217.2.7.fc11.i686.PAE #1 SMP Fri Aug 14
                              20:52:46 EDT 2009 i686 i686
Alert Count                   3
First Seen                    Sat Aug 22 09:12:16 2009
Last Seen                     Sat Aug 22 09:12:16 2009
Local ID                      f52a5346-d236-4cff-ac85-94c839bb864b
Line Numbers                  

Raw Audit Messages            

node=ls2ka.elton-intra.net type=AVC msg=audit(1250925136.179:51922): avc:  denied  { remove_name } for  pid=23117 comm="named" name="tmp-Bd6vNAwxpJ" dev=sda2 ino=1562011 scontext=unconfined_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:named_zone_t:s0 tclass=dir

node=ls2ka.elton-intra.net type=AVC msg=audit(1250925136.179:51922): avc:  denied  { rename } for  pid=23117 comm="named" name="tmp-Bd6vNAwxpJ" dev=sda2 ino=1562011 scontext=unconfined_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:named_zone_t:s0 tclass=file

node=ls2ka.elton-intra.net type=AVC msg=audit(1250925136.179:51922): avc:  denied  { unlink } for  pid=23117 comm="named" name="168.168.192.in-addr.arpa.db" dev=sda2 ino=1562811 scontext=unconfined_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:named_zone_t:s0 tclass=file

node=ls2ka.elton-intra.net type=SYSCALL msg=audit(1250925136.179:51922): arch=40000003 syscall=38 success=yes exit=0 a0=b4459510 a1=b3a97100 a2=d163ac a3=b4459510 items=0 ppid=1 pid=23117 auid=0 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=1236 comm="named" exe="/usr/sbin/named" subj=unconfined_u:system_r:named_t:s0 key=(null)
Comment 1 Daniel Walsh 2009-08-22 07:23:19 EDT
bind-chroot and selinux should work together fine.  Did you set the boolean as described in the error message?

setsebool -P named_write_master_zones=1


You just need to tell selinux you will be writing zone files.
Comment 2 Eddie Lania 2009-08-22 07:35:23 EDT
I already tried that but then when the service named (bind) is restarted, the boolean is being set back to 0. See those other bugs as well.

The only option i have is to set "DEBUG=yes" in /etc/sysconfig/named but that causes the boolean to be atomatically being set to 1 and the /var/named to be writeable for named completely which is not a good solution.

In the other bugs i found information about bind that it was adapted to be only writeable in the "data" and "dynamic" directories since these will be the only cases (i.e. when running named as a slave dns) that named *ever* would have the need to write to.

Do you see my point now?

I also find it very disturbing that these changes in bind are so unknown to the "audience" ;-)

regards,

Eddie.
Comment 3 Daniel Walsh 2009-08-22 07:50:19 EDT
Reassigning bug to bind, since the "audience" probably knows the package better then the SELinux maintainer.
Comment 4 Eddie Lania 2009-08-22 08:11:48 EDT
(In reply to comment #3)
> Reassigning bug to bind, since the "audience" probably knows the package better
> then the SELinux maintainer.  

Daniel,

I was not trying to offend you.

Regards,

Eddie.
Comment 5 Eddie Lania 2009-08-22 09:02:56 EDT
Since I found nothing about these changes in the fedora 11 release notes, consider what would happen if someone is running bind-chroot on a production server with selinix enforcing and not knowing about these changes? Chances would be that this server would not be able to update it's zone files any more and the networking would become very distorted.

Think of microsoft AD servers not being able to update their service records in DNS any more, etc.

Doesn't that make this issue very urgent?
Comment 6 Eddie Lania 2009-08-26 17:35:54 EDT
Listen people, I am only trying to do the best I can to do something good here for Fedora linux by registering the bugs I find in some of the fedora packages here.

But I feel I have become a victim of something that is being called a disagreement between two devs: the one maintaining the named package and the other de SELinux package.

Or maybe I am wrong but no matter what it is, this issue here should have some more priority.

So, please, stop this silence.

If I have said something wrong then I am sorry for that and please feel free to throw it in my face (I can have it) but this issue here must be solved.

Thank you and please continue.

Regards.

Eddie.
Comment 7 Adam Tkac 2009-08-27 06:42:07 EDT
*** Bug 518175 has been marked as a duplicate of this bug. ***
Comment 8 Adam Tkac 2009-08-27 06:48:37 EDT
Sorry for late response, I was on vacation.

From original description it seems you have mislabelled /var/named/dynamic directory. Please try:

1. service named stop
2. restorecon -R /var/named
3. service named start

If you still receive errors please attach relevant messages from /var/log/audit/audit.log files (for example run `grep named_t /var/log/audit/audit.log > denials` and attach "denials" file here). Thanks.
Comment 9 Eddie Lania 2009-08-27 09:24:33 EDT
I have done so and right after restarting named the following message is in het syslog:

Aug 27 15:19:34 ls2ka setroubleshoot: SELinux is preventing the named daemon from writing to the zone directory For complete SELinux messages. run sealert -l 36747901-f53e-4acb-a34d-6ce639da2f24

sealert -l 36747901-f53e-4acb-a34d-6ce639da2f24

Summary:

SELinux is preventing the named daemon from writing to the zone directory

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux has denied the named daemon from writing zone files. Ordinarily, named
is not required to write to these files. Only secondary servers should be
required to write to these directories. If this machine is not a secondary
server, this could signal a intrusion attempt.

Allowing Access:

If you want named to run as a secondary server and accept zone transfers you
need to turn on the named_write_master_zones boolean: "setsebool -P
named_write_master_zones=1"

Fix Command:

setsebool -P named_write_master_zones=1

Additional Information:

Source Context                unconfined_u:system_r:named_t:s0
Target Context                system_u:object_r:named_zone_t:s0
Target Objects                /var/named/chroot/var/named [ dir ]
Source                        named
Source Path                   /usr/sbin/named
Port                          <Unknown>
Host                          ls2ka.elton-intra.net
Source RPM Packages           bind-9.6.1-4.P1.fc11
Target RPM Packages           bind-chroot-9.6.1-4.P1.fc11
Policy RPM                    selinux-policy-3.6.12-80.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   named_write_master_zones
Host Name                     ls2ka.elton-intra.net
Platform                      Linux ls2ka.elton-intra.net
                              2.6.29.6-217.2.8.fc11.i686.PAE #1 SMP Sat Aug 15
                              01:07:59 EDT 2009 i686 i686
Alert Count                   6
First Seen                    Wed Aug 19 12:32:47 2009
Last Seen                     Thu Aug 27 15:19:33 2009
Local ID                      36747901-f53e-4acb-a34d-6ce639da2f24
Line Numbers

Raw Audit Messages

node=ls2ka.elton-intra.net type=AVC msg=audit(1251379173.157:49112): avc:  denied  { write } for  pid=18325 comm="named" name="named" dev=sda2 ino=1480120 scontext=unconfined_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir

node=ls2ka.elton-intra.net type=SYSCALL msg=audit(1251379173.157:49112): arch=40000003 syscall=33 success=yes exit=0 a0=267beb a1=2 a2=26e1ac a3=0 items=0 ppid=18322 pid=18325 auid=0 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=1032 comm="named" exe="/usr/sbin/named" subj=unconfined_u:system_r:named_t:s0 key=(null)

I will attach "denials.txt" per as you requested.
Comment 10 Eddie Lania 2009-08-27 09:26:40 EDT
Created attachment 358868 [details]
Named_t denials from audit log.

Named_t denials from audit log.
Comment 11 Adam Tkac 2009-08-28 04:44:37 EDT
(In reply to comment #9)
> Additional Information:
> 
> Source Context                unconfined_u:system_r:named_t:s0
> Target Context                system_u:object_r:named_zone_t:s0
> Target Objects                /var/named/chroot/var/named [ dir ]

^^^ this is suspicious. Are you sure that you put your DDNS zones to the "dynamic" directory? Also please check that chroot/var/named/dynamic directory has correct SELinux context (ls -dZ chroot/var/named/dynamic).

Next problem might be that your chroot/etc/named.conf is out of date. Chroot layout & maintenance differs from F10, you can check /etc/sysconfig/named for more information.

> Source                        named
> Source Path                   /usr/sbin/named
> Port                          <Unknown>
> Host                          ls2ka.elton-intra.net
> Source RPM Packages           bind-9.6.1-4.P1.fc11
> Target RPM Packages           bind-chroot-9.6.1-4.P1.fc11
> Policy RPM                    selinux-policy-3.6.12-80.fc11
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Permissive
> Plugin Name                   named_write_master_zones
> Host Name                     ls2ka.elton-intra.net
> Platform                      Linux ls2ka.elton-intra.net
>                               2.6.29.6-217.2.8.fc11.i686.PAE #1 SMP Sat Aug 15
>                               01:07:59 EDT 2009 i686 i686
> Alert Count                   6
> First Seen                    Wed Aug 19 12:32:47 2009
> Last Seen                     Thu Aug 27 15:19:33 2009
> Local ID                      36747901-f53e-4acb-a34d-6ce639da2f24
> Line Numbers
Comment 12 Eddie Lania 2009-08-28 06:16:48 EDT
ls -dZ chroot/var/named/dynamic
drwxrwx---. named named system_u:object_r:named_cache_t:s0 chroot/var/named/dynamic


/etc/sysconfig/named:

# BIND named process options
# ~~~~~~~~~~~~~~~~~~~~~~~~~~
# Currently, you can use the following options:
#
# ROOTDIR="/some/where"  --  will run named in a chroot environment.
#                            you must set up the chroot environment
#                            (install the bind-chroot package) before
#                            doing this.
#
# OPTIONS="whatever"     --  These additional options will be passed to named
#                            at startup. Don't add -t here, use ROOTDIR instead.
#
# KEYTAB_FILE="/dir/file"    --  Specify named service keytab file (for GSS-TSIG)
ROOTDIR=/var/named/chroot
OPTIONS="-4"


And the zone files setup in /var/named/chroot/etc/named.conf:

zone "." IN {
        type hint;
        file "named.ca";
};


// The ELTON zones

zone "elton-intra.net" IN {
        type master;
        file "dynamic/elton-intra.net.db";
        allow-update { "elton"; };
};

// Provide reverse mappings for zone elton

zone "168.168.192.in-addr.arpa" {
        type master;
        file "dynamic/168.168.192.in-addr.arpa.db";
        allow-update { "elton"; };
};

// The server zones

zone "_msdcs.elton-intra.net" IN {
        type master;
        file"dynamic/_msdcs.elton-intra.net.db";
        allow-update { "elton"; };
        check-names ignore;
};

zone "_sites.elton-intra.net" IN {
        type master;
        file "dynamic/_sites.elton-intra.net.db";
        allow-update { "elton"; };
};

zone "_tcp.elton-intra.net" IN {
        type master;
        file "dynamic/_tcp.elton-intra.net.db";
        allow-update { "elton"; };
};

zone "_udp.elton-intra.net" IN {
        type master;
        file "dynamic/_udp.elton-intra.net.db";
        allow-update { "elton"; };
};
Comment 13 Adam Tkac 2009-09-02 07:38:24 EDT
I have same configuration as you on my test machine but I'm still not able to reproduce this issue, everything works fine for me.

Could you please attach messages from named from /var/log/messages when DDNS update fails?
Comment 14 Eddie Lania 2009-09-02 10:45:56 EDT
Dear Adam,

There don't seem to be ddns update failures related.

Below is the last occurrence of this error in my syslog:

Aug 30 03:33:08 ls2ka dbus: avc:  received policyload notice (seqno=6)
Aug 30 03:33:08 ls2ka dbus: Can't send to audit system: USER_AVC avc:  received policyload notice (seqno=6)#012: exe="?" (sauid=81, hostname=?, addr=?, terminal=?)
Aug 30 03:33:08 ls2ka dbus: avc:  received policyload notice (seqno=6)
Aug 30 03:33:08 ls2ka setsebool: The named_write_master_zones policy boolean was changed to 0 by root
Aug 30 03:33:08 ls2ka dbus: Reloaded configuration
Aug 30 03:33:08 ls2ka named[18323]: received control channel command 'reload'
Aug 30 03:33:08 ls2ka named[18323]: loading configuration from '/etc/named.conf'
Aug 30 03:33:08 ls2ka named[18323]: using default UDP/IPv4 port range: [1024, 65535]
Aug 30 03:33:08 ls2ka named[18323]: using default UDP/IPv6 port range: [1024, 65535]
Aug 30 03:33:08 ls2ka named[18323]: no IPv6 interfaces found
Aug 30 03:33:08 ls2ka named[18323]: zone 'elton-intra.net' allows updates by IP address, which is insecure
Aug 30 03:33:08 ls2ka named[18323]: zone '168.168.192.in-addr.arpa' allows updates by IP address, which is insecure
Aug 30 03:33:08 ls2ka named[18323]: zone '_msdcs.elton-intra.net' allows updates by IP address, which is insecure
Aug 30 03:33:08 ls2ka named[18323]: zone '_sites.elton-intra.net' allows updates by IP address, which is insecure
Aug 30 03:33:08 ls2ka named[18323]: zone '_tcp.elton-intra.net' allows updates by IP address, which is insecure
Aug 30 03:33:08 ls2ka named[18323]: zone '_udp.elton-intra.net' allows updates by IP address, which is insecure
Aug 30 03:33:08 ls2ka named[18323]: reloading configuration succeeded
Aug 30 03:33:08 ls2ka named[18323]: reloading zones succeeded
Aug 30 03:33:10 ls2ka setroubleshoot: SELinux is preventing the named daemon from writing to the zone directory For complete SELinux messages. run sealert -l 36747901-f53e-4acb-a34d-6ce
639da2f24

After that one, the message has not occurred in the syslog anymore.
Comment 15 Harold Andrews 2009-09-14 09:21:27 EDT
On the recommendation of Adam Tkac, I am reposting the following which I submitted to the ISC BIND User Mailing List on 11 Sep 09 under the subject "SELinux / bind conflict":

Hello,

I’m having a bit of difficulty setting up bind on FC11 (x64) which I’m using in a standalone network environment (i.e. no external network connectivity; essentially a closed dev network).  I loaded the package from Red Hat and started it running as a service after building my zone files and /etc/named.conf.  I’m not using chroot, just vanilla bind.  I’ve read a number of posts about conflicts with bind and SELinux which seems to be the issue here.  When I set the named_write_master_zones flag in SELinux, any actions related to starting or stopping the named service seem to set the flag back to false.

> restorecon –R –v /var/named
> setsebool -P named_write_master_zones=1

Message log entry:
Sep 11 17:13:11 netmgr setsebool: The named_write_master_zones policy boolean was changed to 1 by root

> service named restart

Message log entry:
Sep 11 17:13:19 netmgr setsebool: The named_write_master_zones policy boolean was changed to 0 by root
Sep 11 17:13:19 netmgr named[3198]: received control channel command 'stop'
Sep 11 17:13:19 netmgr named[3198]: shutting down: flushing changes
Sep 11 17:13:19 netmgr named[3198]: stopping command channel on 127.0.0.1#953
Sep 11 17:13:19 netmgr named[3198]: stopping command channel on ::1#953
Sep 11 17:13:19 netmgr named[3198]: no longer listening on 127.0.0.1#53
Sep 11 17:13:19 netmgr named[3198]: no longer listening on 192.168.2.0#53
Sep 11 17:13:19 netmgr named[3198]: no longer listening on ::1#53
Sep 11 17:13:19 netmgr named[3198]: exiting
Sep 11 17:13:20 netmgr named[3270]: starting BIND 9.6.1-P1-RedHat-9.6.1-4.P1.fc11 -u named
Sep 11 17:13:20 netmgr named[3270]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS= -DDIG_SIGCHASE'
Sep 11 17:13:20 netmgr named[3270]: adjusted limit on open files from 1024 to 1048576
Sep 11 17:13:20 netmgr named[3270]: found 4 CPUs, using 4 worker threads
Sep 11 17:13:20 netmgr named[3270]: using up to 4096 sockets
Sep 11 17:13:20 netmgr named[3270]: loading configuration from '/etc/named.conf'
Sep 11 17:13:20 netmgr named[3270]: using default UDP/IPv4 port range: [1024, 65535]
Sep 11 17:13:20 netmgr named[3270]: using default UDP/IPv6 port range: [1024, 65535]
Sep 11 17:13:20 netmgr named[3270]: listening on IPv4 interface lo, 127.0.0.1#53
Sep 11 17:13:20 netmgr named[3270]: listening on IPv4 interface eth0, 192.168.2.0#53
Sep 11 17:13:20 netmgr named[3270]: listening on IPv6 interface lo, ::1#53
Sep 11 17:13:20 netmgr named[3270]: automatic empty zone: 127.IN-ADDR.ARPA
Sep 11 17:13:20 netmgr named[3270]: automatic empty zone: 254.169.IN-ADDR.ARPA
Sep 11 17:13:20 netmgr named[3270]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Sep 11 17:13:20 netmgr named[3270]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
Sep 11 17:13:20 netmgr named[3270]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Sep 11 17:13:20 netmgr named[3270]: automatic empty zone: D.F.IP6.ARPA
Sep 11 17:13:20 netmgr named[3270]: automatic empty zone: 8.E.F.IP6.ARPA
Sep 11 17:13:20 netmgr named[3270]: automatic empty zone: 9.E.F.IP6.ARPA
Sep 11 17:13:20 netmgr named[3270]: automatic empty zone: A.E.F.IP6.ARPA
Sep 11 17:13:20 netmgr named[3270]: automatic empty zone: B.E.F.IP6.ARPA
Sep 11 17:13:20 netmgr named[3270]: command channel listening on 127.0.0.1#953
Sep 11 17:13:20 netmgr named[3270]: command channel listening on ::1#953
Sep 11 17:13:20 netmgr named[3270]: the working directory is not writable
Sep 11 17:13:20 netmgr named[3270]: zone 0.in-addr.arpa/IN: NS '0.in-addr.arpa' has no address records (A or AAAA)
Sep 11 17:13:20 netmgr named[3270]: zone 0.in-addr.arpa/IN: loaded serial 0
Sep 11 17:13:20 netmgr named[3270]: zone 1.0.0.127.in-addr.arpa/IN: NS '1.0.0.127.in-addr.arpa' has no address records (A or AAAA)
Sep 11 17:13:20 netmgr named[3270]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
Sep 11 17:13:20 netmgr named[3270]: zone 2.168.192.in-addr.arpa/IN: NS 'netmgr.2.168.192.in-addr.arpa' has no address records (A or AAAA)
Sep 11 17:13:20 netmgr named[3270]: zone 2.168.192.in-addr.arpa/IN: loaded serial 9091101
Sep 11 17:13:20 netmgr named[3270]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: NS '1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa' has no address records (A or AAAA)
Sep 11 17:13:20 netmgr named[3270]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
Sep 11 17:13:20 netmgr named[3270]: zone localhost.localdomain/IN: loaded serial 0
Sep 11 17:13:20 netmgr named[3270]: zone localhost/IN: loaded serial 0
Sep 11 17:13:20 netmgr named[3270]: zone u-giif.af.mil/IN: loaded serial 9091103
Sep 11 17:13:20 netmgr named[3270]: running
Sep 11 17:13:22 netmgr setroubleshoot: SELinux is preventing the named daemon from writing to the zone directory For complete SELinux messages. run sealert -l d8456462-ce0f-4372-89ac-fafae8a6be35

Thoughts as to how to convince SELinux that I wasn’t kidding?  Thanks.

-Andy
Comment 16 Eddie Lania 2009-09-14 13:29:46 EDT
I have not seen any SELinux denials for named anymore.

I guess that putting the dynamic zone files in

 "/var/named/chroot/var/named/dynamic"

and doing a

 "restorecon -R /var/named/chroot/var/named"

has solved it.
Comment 17 Adam Tkac 2009-09-15 10:12:10 EDT
(In reply to comment #16)
> I have not seen any SELinux denials for named anymore.
> 
> I guess that putting the dynamic zone files in
> 
>  "/var/named/chroot/var/named/dynamic"
> 
> and doing a
> 
>  "restorecon -R /var/named/chroot/var/named"
> 
> has solved it.  

Weird, from your comment #12 it seems you had correct SELinux label so I wonder why restorecon solved your problem.

Harold, could you verify if `restorecon -R /var/named` solves problem in your case, please?
Comment 18 Harold Andrews 2009-09-15 10:51:20 EDT
Adam,

It doesn't seem to have changed things.  Here are the salient entries from the message log and the SEL alert:

> service named stop

Sep 15 10:36:25 netmgr setsebool: The named_write_master_zones policy boolean was changed to 0 by root
Sep 15 10:36:25 netmgr named[5194]: received control channel command 'stop'
Sep 15 10:36:25 netmgr named[5194]: shutting down: flushing changes
Sep 15 10:36:25 netmgr named[5194]: stopping command channel on 127.0.0.1#953
Sep 15 10:36:25 netmgr named[5194]: stopping command channel on ::1#953
Sep 15 10:36:25 netmgr named[5194]: no longer listening on 127.0.0.1#53
Sep 15 10:36:25 netmgr named[5194]: no longer listening on 192.168.2.0#53
Sep 15 10:36:25 netmgr named[5194]: no longer listening on ::1#53
Sep 15 10:36:25 netmgr named[5194]: exiting

> restorecon -R /var/named
> setsebool -P named_write_master_zones=1

Sep 15 10:37:14 netmgr setsebool: The named_write_master_zones policy boolean was changed to 1 by root

> service named start

Sep 15 10:37:21 netmgr setsebool: The named_write_master_zones policy boolean was changed to 0 by root
Sep 15 10:37:21 netmgr named[5381]: starting BIND 9.6.1-P1-RedHat-9.6.1-4.P1.fc11 -u named
Sep 15 10:37:21 netmgr named[5381]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS= -DDIG_SIGCHASE'
Sep 15 10:37:21 netmgr named[5381]: adjusted limit on open files from 1024 to 1048576
Sep 15 10:37:21 netmgr named[5381]: found 4 CPUs, using 4 worker threads
Sep 15 10:37:21 netmgr named[5381]: using up to 4096 sockets
Sep 15 10:37:21 netmgr named[5381]: loading configuration from '/etc/named.conf'
Sep 15 10:37:21 netmgr named[5381]: using default UDP/IPv4 port range: [1024, 65535]
Sep 15 10:37:21 netmgr named[5381]: using default UDP/IPv6 port range: [1024, 65535]
Sep 15 10:37:21 netmgr named[5381]: listening on IPv4 interface lo, 127.0.0.1#53
Sep 15 10:37:21 netmgr named[5381]: listening on IPv4 interface eth0, 192.168.2.0#53
Sep 15 10:37:21 netmgr named[5381]: listening on IPv6 interface lo, ::1#53
Sep 15 10:37:21 netmgr named[5381]: automatic empty zone: 127.IN-ADDR.ARPA
Sep 15 10:37:21 netmgr named[5381]: automatic empty zone: 254.169.IN-ADDR.ARPA
Sep 15 10:37:21 netmgr named[5381]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Sep 15 10:37:21 netmgr named[5381]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
Sep 15 10:37:21 netmgr named[5381]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Sep 15 10:37:21 netmgr named[5381]: automatic empty zone: D.F.IP6.ARPA
Sep 15 10:37:21 netmgr named[5381]: automatic empty zone: 8.E.F.IP6.ARPA
Sep 15 10:37:21 netmgr named[5381]: automatic empty zone: 9.E.F.IP6.ARPA
Sep 15 10:37:21 netmgr named[5381]: automatic empty zone: A.E.F.IP6.ARPA
Sep 15 10:37:21 netmgr named[5381]: automatic empty zone: B.E.F.IP6.ARPA
Sep 15 10:37:21 netmgr named[5381]: command channel listening on 127.0.0.1#953
Sep 15 10:37:21 netmgr named[5381]: command channel listening on ::1#953
Sep 15 10:37:21 netmgr named[5381]: the working directory is not writable
Sep 15 10:37:21 netmgr named[5381]: zone 0.in-addr.arpa/IN: NS '0.in-addr.arpa' has no address records (A or AAAA)
Sep 15 10:37:21 netmgr named[5381]: zone 0.in-addr.arpa/IN: loaded serial 0
Sep 15 10:37:21 netmgr named[5381]: zone 1.0.0.127.in-addr.arpa/IN: NS '1.0.0.127.in-addr.arpa' has no address records (A or AAAA)
Sep 15 10:37:21 netmgr named[5381]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
Sep 15 10:37:21 netmgr named[5381]: zone 2.168.192.in-addr.arpa/IN: NS 'netmgr.2.168.192.in-addr.arpa' has no address records (A or AAAA)
Sep 15 10:37:21 netmgr named[5381]: zone 2.168.192.in-addr.arpa/IN: loaded serial 9091101
Sep 15 10:37:21 netmgr named[5381]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: NS '1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa' has no address records (A or AAAA)
Sep 15 10:37:21 netmgr named[5381]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
Sep 15 10:37:21 netmgr named[5381]: zone localhost.localdomain/IN: loaded serial 0
Sep 15 10:37:21 netmgr named[5381]: zone localhost/IN: loaded serial 0
Sep 15 10:37:21 netmgr named[5381]: zone u-giif.af.mil/IN: loaded serial 9091103
Sep 15 10:37:21 netmgr named[5381]: running
Sep 15 10:37:23 netmgr setroubleshoot: SELinux is preventing the named daemon from writing to the zone directory For complete SELinux messages. run sealert -l d8456462-ce0f-4372-89ac-fafae8a6be35

> sealert -l d8456462-ce0f-4372-89ac-fafae8a6be35

Summary:

SELinux is preventing the named daemon from writing to the zone directory

Detailed Description:

SELinux has denied the named daemon from writing zone files. Ordinarily, named
is not required to write to these files. Only secondary servers should be
required to write to these directories. If this machine is not a secondary
server, this could signal a intrusion attempt.

Allowing Access:

If you want named to run as a secondary server and accept zone transfers you
need to turn on the named_write_master_zones boolean: "setsebool -P
named_write_master_zones=1"

Fix Command:

setsebool -P named_write_master_zones=1

Additional Information:

Source Context                unconfined_u:system_r:named_t:s0
Target Context                system_u:object_r:named_zone_t:s0
Target Objects                /var/named [ dir ]
Source                        named
Source Path                   /usr/sbin/named
Port                          <Unknown>
Host                          netmgr.u-giif.af.mil
Source RPM Packages           bind-9.6.1-4.P1.fc11
Target RPM Packages           bind-9.6.1-4.P1.fc11
Policy RPM                    selinux-policy-3.6.12-81.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   named_write_master_zones
Host Name                     netmgr.u-giif.af.mil
Platform                      Linux netmgr.u-giif.af.mil 2.6.30.5-43.fc11.x86_64
                              #1 SMP Thu Aug 27 21:39:52 EDT 2009 x86_64 x86_64
Alert Count                   14
First Seen                    Fri 11 Sep 2009 10:05:32 AM EDT
Last Seen                     Tue 15 Sep 2009 10:37:21 AM EDT
Local ID                      d8456462-ce0f-4372-89ac-fafae8a6be35
Line Numbers                  

Raw Audit Messages            

node=netmgr.u-giif.af.mil type=AVC msg=audit(1253025441.206:53): avc:  denied  { write } for  pid=5382 comm="named" name="named" dev=dm-0 ino=172174 scontext=unconfined_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir

node=netmgr.u-giif.af.mil type=SYSCALL msg=audit(1253025441.206:53): arch=c000003e syscall=21 success=no exit=-13 a0=7fb4a401bad3 a1=2 a2=0 a3=0 items=0 ppid=5380 pid=5382 auid=500 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=2 comm="named" exe="/usr/sbin/named" subj=unconfined_u:system_r:named_t:s0 key=(null)

The message log entries were grep filtered using "named" as the filter.  I didn't look at the full message log for the entire relevant period; I can post that if you think that will help.

-Andy
Comment 19 Adam Tkac 2009-09-15 12:02:26 EDT
(In reply to comment #18)
> Adam,
> 
> It doesn't seem to have changed things.  Here are the salient entries from the
> message log and the SEL alert:
> 
> > service named stop
> 
> Sep 15 10:36:25 netmgr setsebool: The named_write_master_zones policy boolean
> was changed to 0 by root
> Sep 15 10:36:25 netmgr named[5194]: received control channel command 'stop'
> Sep 15 10:36:25 netmgr named[5194]: shutting down: flushing changes
> Sep 15 10:36:25 netmgr named[5194]: stopping command channel on 127.0.0.1#953
> Sep 15 10:36:25 netmgr named[5194]: stopping command channel on ::1#953
> Sep 15 10:36:25 netmgr named[5194]: no longer listening on 127.0.0.1#53
> Sep 15 10:36:25 netmgr named[5194]: no longer listening on 192.168.2.0#53
> Sep 15 10:36:25 netmgr named[5194]: no longer listening on ::1#53
> Sep 15 10:36:25 netmgr named[5194]: exiting
> 
> > restorecon -R /var/named
> > setsebool -P named_write_master_zones=1
> 
> Sep 15 10:37:14 netmgr setsebool: The named_write_master_zones policy boolean
> was changed to 1 by root
> 
> > service named start
> 
> Sep 15 10:37:21 netmgr setsebool: The named_write_master_zones policy boolean
> was changed to 0 by root

Ah, as expected.

named_write_master_zones boolean and writable /var/named directory is obsoleted since Fedora 7. You should modify you configuration and put all writable zones to /var/named/dynamic (DDNS zones) or /var/named/slaves (secondary zones). There is no reason (except debugging purposes) for writable /var/named.

Your problem is probably caused by "DEBUG" feature (check bug #510283). Before this feature named_write_master_zones has not been touched by named init script. Now it has to be modified accordingly DEBUG settings. When debugging is enabled then the SELinux boolean is set and when debugging is disabled it is unset.

Would it be possible to check if you have no DDNS or slave zones directly in /var/named, please?
Comment 20 Harold Andrews 2009-09-15 12:28:01 EDT
Adam,

netmgr# cat /etc/named.conf

// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

acl "safe-subnet" { 192.168.2.0; };

options {
	listen-on port 53 { any; };
	listen-on-v6 port 53 { ::1; };
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
	allow-query     { localhost; safe-subnet; };
	recursion yes;
	dnssec-enable yes;
	dnssec-validation yes;
	dnssec-lookaside . trust-anchor dlv.isc.org.;
};

zone "u-giif.af.mil" {
	type master;
	notify no;
	allow-query { localhost; safe-subnet; };
	file "dynamic/u-giif.af.mil";
};

zone "2.168.192.in-addr.arpa" {
	type master;
	notify no;
	allow-query { localhost; safe-subnet; };
	file "dynamic/192.168.2";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
	type hint;
	file "named.ca";
};

include "/etc/named.rfc1912.zones";

include "/etc/pki/dnssec-keys//named.dnssec.keys";
include "/etc/pki/dnssec-keys//dlv/dlv.isc.org.conf";

netmgr# ls -lR /var/named

/var/named:
total 28
drwxrwx---. 2 named named 4096 2009-09-14 09:30 data
drwxrwx---. 3 named named 4096 2009-09-11 17:08 dynamic
-rw-r-----. 1 root  named 1892 2008-02-18 07:29 named.ca
-rw-r-----. 1 root  named  129 2007-06-21 06:09 named.empty
-rw-r-----. 1 root  named  152 2007-06-21 06:09 named.localhost
-rw-r-----. 1 root  named  145 2007-06-21 06:09 named.loopback
drwxrwx---. 2 named named 4096 2009-07-29 09:24 slaves

/var/named/data:
total 428
-rw-r--r--. 1 named named   5786 2009-09-15 10:41 named.run
-rw-r--r--. 1 named named 424372 2009-09-14 09:30 named.run-20090914

/var/named/dynamic:
total 12
-rw-r--r--. 1 named named  209 2009-09-11 09:45 192.168.2
-rw-r--r--. 1 named named  524 2009-09-11 17:08 u-giif.af.mil

/var/named/slaves:
total 0

netmgr# cat /var/named/dynamic/192.168.2

$TTL 3H
@	IN SOA	@  netmgr.u-giif.af.mi. (
					09091101	; serial
					1D		; refresh
					1H		; retry
					1W		; expire
					3H )		; minimum
	NS	netmgr

0	PTR	netmgr
1	PTR	switch1
2	PTR	switch2
3	PTR	switch3

netmgr# cat /var/named/dynamic/u-giif.af.mil

;
; Zone definition file for u-giif.af.mil
;
$TTL 3H
@	IN SOA	@ netmgr.u-giif.af.mil. (
					09091103	; serial
					1D		; refresh
					1H		; retry
					1W		; expire
					3H )		; minimum
	NS	netmgr 
;
localhost	A	127.0.0.1
netmgr		A	192.168.2.0
switch1		A	192.168.2.1
switch2		A	192.168.2.2
switch3		A	192.168.2.3

I'm admittedly a bit new to this.  Thanks.

-Andy
Comment 21 Harold Andrews 2009-09-15 12:35:49 EDT
Adam,

From your post, then, is it safe to ignore the SELinux errors?  The only reason I ask is that I've been having difficulty with other hosts resolving hostnames.  Thanks.

-Andy
Comment 22 Adam Tkac 2009-09-16 07:15:41 EDT
(In reply to comment #21)
> Adam,
> 
> From your post, then, is it safe to ignore the SELinux errors?  The only reason
> I ask is that I've been having difficulty with other hosts resolving hostnames.
>  Thanks.

Well, no SELinux denial should be ignored. Are errors still present after you execute `restorecon -R /var/named` ?
Comment 23 Harold Andrews 2009-09-16 08:58:14 EDT
Adam,

Yes, the SELinux error still results with the restorecon -R /var/named.

-Andy
Comment 24 Adam Tkac 2009-09-16 11:40:37 EDT
After inspection this particular error is not a problem.

Main problem is the access(2) syscall called during startup on /var/named directory to check if /var/named is writable. Due this call AVC is reported. Issue with access(2) call is tracked as bug #495211.
Comment 25 Adam Tkac 2009-09-16 11:41:01 EDT

*** This bug has been marked as a duplicate of bug 495211 ***

Note You need to log in before you can comment on or make changes to this bug.