Summary: SELinux is preventing the named daemon from writing to the zone directory Detailed Description: SELinux has denied the named daemon from writing zone files. Ordinarily, named is not required to write to these files. Only secondary servers should be required to write to these directories. If this machine is not a secondary server, this could signal an intrusion attempt. Allowing Access: If you want named to run as a secondary server and accept zone transfers you need to turn on the named_write_master_zones boolean: "setsebool -P named_write_master_zones=1" Fix Command: setsebool -P named_write_master_zones=1 Additional Information: Source Context system_u:system_r:named_t:s0 Target Context system_u:object_r:named_zone_t:s0 Target Objects /var/named [ dir ] Source named Source Path /usr/sbin/named Port <Unknown> Host (removed) Source RPM Packages bind-9.6.1-13.P2.fc12 Target RPM Packages bind-9.6.1-13.P2.fc12 Policy RPM selinux-policy-3.6.32-49.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name named_write_master_zones Host Name (removed) Platform Linux (removed) 2.6.31.6-145.fc12.i686 #1 SMP Sat Nov 21 16:28:23 EST 2009 i686 i686 Alert Count 14 First Seen Sun 06 Dec 2009 04:11:30 PM PST Last Seen Mon 07 Dec 2009 08:48:36 AM PST Local ID 8001c6c0-65fd-4f2c-90a0-a9e8adad7698 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1260204516.519:9): avc: denied { write } for pid=1450 comm="named" name="named" dev=dm-1 ino=83527 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir node=(removed) type=SYSCALL msg=audit(1260204516.519:9): arch=40000003 syscall=33 success=no exit=-13 a0=874fab a1=2 a2=87d1ac a3=881c20 items=0 ppid=1 pid=1450 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="named" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null) Hash String generated from selinux-policy-3.6.32-49.fc12,named_write_master_zones,named,named_t,named_zone_t,dir,write audit2allow suggests: #============= named_t ============== allow named_t named_zone_t:dir write;
Read the sealert. It tells you what to do.
Ran the "fix" "setsebool -P named_write_master_zones=1" many times with reboot yields the same error. Relocated the zone file to /var/named/data, /var/named/slave, var/named/dynamic, still resulting in same error. chown the entire directory to named:named still the same issue. Googled many days with the error, tried every suggestion, even the ones I know wouldn't work, still the same issue. Filed a bug report here, with the suggestion to retry "setsebool -P named_write_master_zones=1", followed it anyway. Still the same issue. Planning on disabling selinux on named all together, at this point
# getsebool -a | grep named If it is turned on, could you execute ausearch -m avc -ts recent | audit2allow -w
This is very severe bug, as it prevents name server to be used as the secondary name server! The bug is localized in the /etc/init.d/named starting script, line 61. This script resets named_write_master_zones to "off" every time it is called. The result is, that setsebool -P named_write_master_zones=1 has no chance to work. The autor of this stupid change should be penalized! Bug should be fixed by commenting off the bad line and then set named_write_master_zones to on.
Daniel, please, could someone from redhat fix the same bug in Fedora 11 ?
WHat is this script attempting to do?
The bind init script should not be changing these booleans.
Agree! Someone puts these lines : ------------------------------------------------------ # Enable/disable debugging if [ "x$DEBUG" = 'xyes' ]; then chown named.named /var/named if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled && [ `getsebool named_write_master_zones | awk '{ print $3; }'` = 'off' ]; then setsebool named_write_master_zones 1 fi; else chown root.named /var/named if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled && [ `getsebool named_write_master_zones | awk '{ print $3; }'` = 'on' ]; then setsebool named_write_master_zones 0 fi; fi ---------------------------------------------------- to the bind init script in Fedora 11 (no "debugging section was present in Fedora 10 and previous). IMO it should be removed.
Last update of bind at Fedora 11 broke my secondary name server again. PLEASE, could the maintainer of the bind package fix this stupid bug!? What is the purpose of redhat's bugzila, if no one cares?
bind-9.6.1-10.P3.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/bind-9.6.1-10.P3.fc11
bind-9.6.1-16.P3.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/bind-9.6.1-16.P3.fc12
The bug seems to be fixed, thanks.
bind-9.6.1-10.P3.fc11 has been pushed to the Fedora 11 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update bind'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2010-1186
bind-9.6.1-16.P3.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update bind'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1195
bind-9.6.1-10.P3.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
bind-9.6.1-16.P3.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
Looks like it is fixed!
Even with 9.6.1-16.P3.f12 installed, I am getting this problem. Summary: SELinux is preventing the named daemon from writing to the zone directory Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux has denied the named daemon from writing zone files. Ordinarily, named is not required to write to these files. Only secondary servers should be required to write to these directories. If this machine is not a secondary server, this could signal an intrusion attempt. Allowing Access: If you want named to run as a secondary server and accept zone transfers you need to turn on the named_write_master_zones boolean: "setsebool -P named_write_master_zones=1" Fix Command: setsebool -P named_write_master_zones=1 Additional Information: Source Context system_u:system_r:named_t:s0 Target Context system_u:object_r:named_zone_t:s0 Target Objects /var/named/chroot/var/named [ dir ] Source named Source Path /usr/sbin/named Port <Unknown> Host gold.cdkkt.com Source RPM Packages bind-9.6.1-16.P3.fc12 Target RPM Packages bind-chroot-9.6.1-16.P3.fc12 Policy RPM selinux-policy-3.6.32-84.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name named_write_master_zones Host Name gold.cdkkt.com Platform Linux gold.cdkkt.com 2.6.31.12-174.2.3.fc12.i686 #1 SMP Mon Jan 18 20:22:46 UTC 2010 i686 i686 Alert Count 1 First Seen Mon 15 Feb 2010 01:00:53 PM PST Last Seen Mon 15 Feb 2010 01:00:53 PM PST Local ID af76ff2a-7a9d-4aa1-be09-df3541fb6300 Line Numbers Raw Audit Messages node=gold.cdkkt.com type=AVC msg=audit(1266267653.35:9): avc: denied { write } for pid=1569 comm="named" name="named" dev=sdb10 ino=414387 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir node=gold.cdkkt.com type=SYSCALL msg=audit(1266267653.35:9): arch=40000003 syscall=33 success=yes exit=0 a0=992e0b a1=2 a2=99b1ac a3=99fc20 items=0 ppid=1 pid=1569 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="named" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null) What do I need to do?
(In reply to comment #18) > What do I need to do? Have you tried to set named_write_master_zones SELinux boolean? ("setsebool -P named_write_master_zones=1"). Note that preferred location for secondary (slave) zones is /var/named/slaves/ directory and for DDNS zones it is /var/named/dynamic/ directory. Both directories are writable by named by default.
Dan the alert message told you what to do. Detailed Description: SELinux has denied the named daemon from writing zone files. Ordinarily, named is not required to write to these files. Only secondary servers should be required to write to these directories. If this machine is not a secondary server, this could signal an intrusion attempt. Allowing Access: If you want named to run as a secondary server and accept zone transfers you need to turn on the named_write_master_zones boolean: "setsebool -P named_write_master_zones=1"
I have read this buglist in it's entirety and it says not to use the setsebool line if your email server is the master email server, as it is in my case. I do not have a secondary e-mail server. So, are you saying that I should run the setsebool cmd, on the master email server?
There is no mention of email service in this bug? Yes you need to run the command. Your Bind/Named service is receiving zone files from another Named service, and trying to write the zone files to local disk. At least for one zone this named is a secondary server to another domain.