This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 545128 - SELinux is preventing the named daemon from writing to the zone directory
SELinux is preventing the named daemon from writing to the zone directory
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: bind (Show other bugs)
12
i386 Linux
low Severity medium
: ---
: ---
Assigned To: Adam Tkac
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:93fbed4e580...
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-12-07 12:24 EST by g_vergis
Modified: 2013-04-30 19:44 EDT (History)
7 users (show)

See Also:
Fixed In Version: 9.6.1-16.P3.fc12
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-02-04 20:31:01 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description g_vergis 2009-12-07 12:24:38 EST
Summary:

SELinux is preventing the named daemon from writing to the zone directory

Detailed Description:

SELinux has denied the named daemon from writing zone files. Ordinarily, named
is not required to write to these files. Only secondary servers should be
required to write to these directories. If this machine is not a secondary
server, this could signal an intrusion attempt.

Allowing Access:

If you want named to run as a secondary server and accept zone transfers you
need to turn on the named_write_master_zones boolean: "setsebool -P
named_write_master_zones=1"

Fix Command:

setsebool -P named_write_master_zones=1

Additional Information:

Source Context                system_u:system_r:named_t:s0
Target Context                system_u:object_r:named_zone_t:s0
Target Objects                /var/named [ dir ]
Source                        named
Source Path                   /usr/sbin/named
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           bind-9.6.1-13.P2.fc12
Target RPM Packages           bind-9.6.1-13.P2.fc12
Policy RPM                    selinux-policy-3.6.32-49.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   named_write_master_zones
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.31.6-145.fc12.i686 #1 SMP Sat Nov 21 16:28:23
                              EST 2009 i686 i686
Alert Count                   14
First Seen                    Sun 06 Dec 2009 04:11:30 PM PST
Last Seen                     Mon 07 Dec 2009 08:48:36 AM PST
Local ID                      8001c6c0-65fd-4f2c-90a0-a9e8adad7698
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1260204516.519:9): avc:  denied  { write } for  pid=1450 comm="named" name="named" dev=dm-1 ino=83527 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir

node=(removed) type=SYSCALL msg=audit(1260204516.519:9): arch=40000003 syscall=33 success=no exit=-13 a0=874fab a1=2 a2=87d1ac a3=881c20 items=0 ppid=1 pid=1450 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="named" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null)



Hash String generated from  selinux-policy-3.6.32-49.fc12,named_write_master_zones,named,named_t,named_zone_t,dir,write
audit2allow suggests:

#============= named_t ==============
allow named_t named_zone_t:dir write;
Comment 1 Daniel Walsh 2009-12-07 15:25:36 EST
Read the sealert.  It tells you what to do.
Comment 2 g_vergis 2009-12-07 23:27:39 EST
Ran the "fix" "setsebool -P named_write_master_zones=1" many times with reboot yields the same error. Relocated the zone file to /var/named/data, /var/named/slave, var/named/dynamic, still resulting in same error. chown the entire directory to named:named still the same issue. Googled many days with the error, tried every suggestion, even the ones I know wouldn't work, still the same issue. Filed a bug report here, with the suggestion to retry "setsebool -P named_write_master_zones=1", followed it anyway. Still the same issue. 

Planning on disabling selinux on named all together, at this point
Comment 3 Daniel Walsh 2009-12-09 07:59:50 EST
# getsebool -a | grep named
If it is turned on, could you execute 

ausearch -m avc -ts recent | audit2allow -w
Comment 4 Radek Liboska 2009-12-17 11:41:47 EST
This is very severe bug, as it prevents name server to be used as the secondary name server!

The bug is localized in the /etc/init.d/named starting script, line 61.
This script resets named_write_master_zones to "off" every time it is called. The result is, that setsebool -P named_write_master_zones=1 has no chance to work.

The autor of this stupid change should be penalized!

Bug should be fixed by commenting off the bad line and then set  
named_write_master_zones to on.
Comment 5 Radek Liboska 2009-12-17 11:45:27 EST
Daniel, please, could someone from redhat fix the same bug in Fedora 11 ?
Comment 6 Daniel Walsh 2009-12-17 11:52:52 EST
WHat is this script attempting to do?
Comment 7 Daniel Walsh 2009-12-17 11:53:22 EST
The bind init script should not be changing these booleans.
Comment 8 Radek Liboska 2009-12-17 12:11:36 EST
Agree!

Someone puts these lines :
------------------------------------------------------
 # Enable/disable debugging
if [ "x$DEBUG" = 'xyes' ]; then
  chown named.named /var/named
  if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled &&
    [ `getsebool named_write_master_zones | awk '{ print $3; }'` = 'off' ]; then
      setsebool named_write_master_zones 1
  fi;
else
  chown root.named /var/named
  if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled &&
    [ `getsebool named_write_master_zones | awk '{ print $3; }'` = 'on' ]; then
      setsebool named_write_master_zones 0
  fi;
fi
----------------------------------------------------
to the bind init script in Fedora 11 (no "debugging section was present in Fedora 10 and previous).

IMO it should be removed.
Comment 9 Radek Liboska 2010-01-25 08:17:48 EST
Last update of bind at Fedora 11 broke my secondary name server again.

 PLEASE, could the maintainer of the bind package fix this stupid bug!? What is the purpose of redhat's bugzila, if no one cares?
Comment 10 Fedora Update System 2010-01-27 10:34:13 EST
bind-9.6.1-10.P3.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/bind-9.6.1-10.P3.fc11
Comment 11 Fedora Update System 2010-01-27 10:34:23 EST
bind-9.6.1-16.P3.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/bind-9.6.1-16.P3.fc12
Comment 12 Radek Liboska 2010-01-27 11:02:30 EST
The bug seems to be fixed, thanks.
Comment 13 Fedora Update System 2010-01-28 22:24:12 EST
bind-9.6.1-10.P3.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update bind'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2010-1186
Comment 14 Fedora Update System 2010-01-28 22:26:12 EST
bind-9.6.1-16.P3.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update bind'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1195
Comment 15 Fedora Update System 2010-02-04 20:30:51 EST
bind-9.6.1-10.P3.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2010-02-04 20:38:42 EST
bind-9.6.1-16.P3.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 g_vergis 2010-02-05 12:24:41 EST
Looks like it is fixed!
Comment 18 Dan Thurman 2010-02-15 16:06:41 EST
Even with 9.6.1-16.P3.f12 installed, I am getting this problem.


Summary:

SELinux is preventing the named daemon from writing to the zone directory

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux has denied the named daemon from writing zone files. Ordinarily, named
is not required to write to these files. Only secondary servers should be
required to write to these directories. If this machine is not a secondary
server, this could signal an intrusion attempt.

Allowing Access:

If you want named to run as a secondary server and accept zone transfers you
need to turn on the named_write_master_zones boolean: "setsebool -P
named_write_master_zones=1"

Fix Command:

setsebool -P named_write_master_zones=1

Additional Information:

Source Context                system_u:system_r:named_t:s0
Target Context                system_u:object_r:named_zone_t:s0
Target Objects                /var/named/chroot/var/named [ dir ]
Source                        named
Source Path                   /usr/sbin/named
Port                          <Unknown>
Host                          gold.cdkkt.com
Source RPM Packages           bind-9.6.1-16.P3.fc12
Target RPM Packages           bind-chroot-9.6.1-16.P3.fc12
Policy RPM                    selinux-policy-3.6.32-84.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   named_write_master_zones
Host Name                     gold.cdkkt.com
Platform                      Linux gold.cdkkt.com 2.6.31.12-174.2.3.fc12.i686
                              #1 SMP Mon Jan 18 20:22:46 UTC 2010 i686 i686
Alert Count                   1
First Seen                    Mon 15 Feb 2010 01:00:53 PM PST
Last Seen                     Mon 15 Feb 2010 01:00:53 PM PST
Local ID                      af76ff2a-7a9d-4aa1-be09-df3541fb6300
Line Numbers                  

Raw Audit Messages            

node=gold.cdkkt.com type=AVC msg=audit(1266267653.35:9): avc:  denied  { write } for  pid=1569 comm="named" name="named" dev=sdb10 ino=414387 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir

node=gold.cdkkt.com type=SYSCALL msg=audit(1266267653.35:9): arch=40000003 syscall=33 success=yes exit=0 a0=992e0b a1=2 a2=99b1ac a3=99fc20 items=0 ppid=1 pid=1569 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="named" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null)

What do I need to do?
Comment 19 Adam Tkac 2010-02-16 08:31:41 EST
(In reply to comment #18)
> What do I need to do?    

Have you tried to set named_write_master_zones SELinux boolean? ("setsebool -P named_write_master_zones=1"). Note that preferred location for secondary (slave) zones is /var/named/slaves/ directory and for DDNS zones it is /var/named/dynamic/ directory. Both directories are writable by named by default.
Comment 20 Daniel Walsh 2010-02-16 10:51:28 EST
Dan the alert message told you what to do.

Detailed Description:

SELinux has denied the named daemon from writing zone files. Ordinarily, named
is not required to write to these files. Only secondary servers should be
required to write to these directories. If this machine is not a secondary
server, this could signal an intrusion attempt.

Allowing Access:

If you want named to run as a secondary server and accept zone transfers you
need to turn on the named_write_master_zones boolean: "setsebool -P
named_write_master_zones=1"
Comment 21 Dan Thurman 2010-02-16 11:20:58 EST
I have read this buglist in it's entirety and it
says not to use the setsebool line if your email
server is the master email server, as it is in
my case. I do not have a secondary e-mail server.

So, are you saying that I should run the setsebool cmd,
on the master email server?
Comment 22 Daniel Walsh 2010-02-16 11:41:49 EST
There is no mention of email service in this bug?  Yes you need to run the command.  Your Bind/Named service is receiving zone files from another Named service, and trying to write the zone files to local disk.  At least for one zone this named is a secondary server to another domain.

Note You need to log in before you can comment on or make changes to this bug.