Ray Leventhal
2007-Aug-17 13:16 UTC
[CentOS] repost: SELinux questions, upon restarting BIND
As this remains an issue for me, I'm reposting. Please forgive the redundancy, but I've been unable to find the answer and am hoping for some guidance. Thanks in advance, ~Ray ==========Original Posts follow=========(full output is in the original thread) Ray Leventhal wrote:> > Hi all, > > > > On my newly up-and-running nameserver (CentOS 5), I noticed the > > following alerts in /var/log/messages after restarting BIND. (lines > > inserted to aid in reading). > > As I'm new to SELinux, I'm hoping for some pointers on 1) if this is an > > issue which simply *must* be addressed, or if it's something I should > > live with, and 2) how to eliminate the warming messages without > > sacrificing SELinux protections. The system does not have X installed, > > so 'setroubleshoot' isn't an option (unless there's a text equivalent). > > > > Thanks in advance for any opinions/suggestions/enlightenments :) > > > > ~Ray > > > > ============================================> > Aug 16 07:12:23 sunspot setroubleshoot: SELinux is preventing > > /usr/sbin/named (named_t) "getattr" access to /dev/random > > (tmpfs_t). For complete SELinux messages. run sealert -l > > 1ab129b8-9f9f-48ae-a67e-d52f63a5fb5a > > ============================================> > Aug 16 07:12:23 sunspot setroubleshoot: SELinux is preventing > > /usr/sbin/named (named_t) "read" access to random (tmpfs_t). For > > complete SELinux messages. run sealert -l > > b7014747-0d8d-443e-8b9a-af868976452d > > ============================================> > ><big output snip> Update: A bit of searching found a thread which pointed here: http://www.webservertalk.com/message1323968.html This is a talk about Bind 9.x on RHEL4, but I think it applies to C5 as well as the issue is SELinux and chrooted BIND implementations. Problem is, I'm still not sure what should be done. I'd rather not disable SELinux protection by doing this: setsebool -P named_disable_trans=1 ...but the instructions for alerting SELinux to the chrooted file locations are a bit short of my (inexperienced) needs. Any help would be greatly appreciated. @Moderator: if this is truly off-topic, my apologies. Please let me know and I will post to an SELinux list. TIA, ~Ray _______________________________________________ CentOS mailing list CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos
Craig White
2007-Aug-17 16:13 UTC
[CentOS] repost: SELinux questions, upon restarting BIND
I am hesitant to offer suggestions for RHELv5 selinux since I haven't spent any time playing with it but would definitely recommend that you join the selinux list... https://www.redhat.com/mailman/listinfo/fedora-selinux-list where you will get definitive and correct answers to selinux issues Craig On Fri, 2007-08-17 at 09:16 -0400, Ray Leventhal wrote:> As this remains an issue for me, I'm reposting. Please forgive the redundancy, but I've been unable to find the answer and am hoping for some guidance. > > Thanks in advance, > ~Ray > > ==========Original Posts follow=========> (full output is in the original thread) > > Ray Leventhal wrote: > > > > Hi all, > > > > > > On my newly up-and-running nameserver (CentOS 5), I noticed the > > > following alerts in /var/log/messages after restarting BIND. (lines > > > inserted to aid in reading). > > > As I'm new to SELinux, I'm hoping for some pointers on 1) if this is an > > > issue which simply *must* be addressed, or if it's something I should > > > live with, and 2) how to eliminate the warming messages without > > > sacrificing SELinux protections. The system does not have X installed, > > > so 'setroubleshoot' isn't an option (unless there's a text equivalent). > > > > > > Thanks in advance for any opinions/suggestions/enlightenments :) > > > > > > ~Ray > > > > > > ============================================> > > Aug 16 07:12:23 sunspot setroubleshoot: SELinux is preventing > > > /usr/sbin/named (named_t) "getattr" access to /dev/random > > > (tmpfs_t). For complete SELinux messages. run sealert -l > > > 1ab129b8-9f9f-48ae-a67e-d52f63a5fb5a > > > ============================================> > > Aug 16 07:12:23 sunspot setroubleshoot: SELinux is preventing > > > /usr/sbin/named (named_t) "read" access to random (tmpfs_t). For > > > complete SELinux messages. run sealert -l > > > b7014747-0d8d-443e-8b9a-af868976452d > > > ============================================> > > > > > <big output snip> > Update: > > A bit of searching found a thread which pointed here: > http://www.webservertalk.com/message1323968.html > > This is a talk about Bind 9.x on RHEL4, but I think it applies to C5 as > well as the issue is SELinux and chrooted BIND implementations. > > Problem is, I'm still not sure what should be done. I'd rather not > disable SELinux protection by doing this: > > setsebool -P named_disable_trans=1 > > ...but the instructions for alerting SELinux to the chrooted file locations are a bit short of my (inexperienced) needs. > > Any help would be greatly appreciated. > > @Moderator: if this is truly off-topic, my apologies. Please let me know and I will post to an SELinux list. > > TIA, > ~Ray > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos-- Craig White <craig at tobyhouse.com>
Robert Spangler
2007-Aug-18 02:14 UTC
[CentOS] repost: SELinux questions, upon restarting BIND
On Fri August 17 2007 09:16, Ray Leventhal wrote:> As this remains an issue for me, I'm reposting. Please forgive the > redundancy, but I've been unable to find the answer and am hoping for some > guidance.OK, are you running named in a chroot env?> > > ============================================> > > Aug 16 07:12:23 sunspot setroubleshoot: SELinux is preventing > > > /usr/sbin/named (named_t) "getattr" access to /dev/random > > > (tmpfs_t). For complete SELinux messages. run sealert -l > > > 1ab129b8-9f9f-48ae-a67e-d52f63a5fb5a > > > ============================================Have you done the above to get the complete message? -- Regards Robert Smile... it increases your face value!