CentOS - Jul 2008 - bind9, SELinux, ServFail

I just set up a CentOS 5.2 system with bind9 (9.3.4-6.0.1.P1.el5) and
I'm running up against a problem that seems to be related to SELinux.
If I set named_disable_trans to 1, everything works as expected, but
if I leave it enabled the server will only give me data for the zones
for which it is authoritative.  For external sites it returns a
ServFail error.  This is with nslookup and dig.

If I start named from the command line with the command "named -u
named", the server returns the expected response.

tcpdump shows that the server is querying itself and getting a
ServFail response.

I figure that I'm missing something really basic, but not sure what.

Debug logs show this:

FAIL:

clientmgr @0x2b491728c1d0: createclients
clientmgr @0x2b491728c1d0: recycle
.
.
.
fctx 0x2b49173153e0(www.google.com/A'): shutdown
client 192.168.213.111#33096: view internal: error

Succeed:

clientmgr @0x2b109771bd30: createclients
clientmgr @0x2b109771bd30: create new
.
.
.
res 0x2b109778cae0: dns_resolver_prime
res 0x2b109778cae0: priming
createfetch: . NS
fctx 0x2b109781e280(./NS'): create
fctx 0x2b109781e280(./NS'): join
fetch 0x2b109781e260 (fctx 0x2b109781e280(./NS)): created
dns_adb_createfind: found A for name 0x2b109780fa70 in db
fctx 0x2b109781e280(./NS'): start
res 0x2b109778cae0: dns_resolver_prime
fctx 0x2b109781e280(./NS'): try
fctx 0x2b109781e280(./NS'): cancelqueries
fctx 0x2b109781e280(./NS'): getaddresses
dns_adb_createfind: found AAAA for name 0x2b109780fa70
.
.
.

Any ideas?
Thanks in advance,

M

On Thu, Jul 10, 2008 at 7:22 PM, Meenoo Shivdasani <meenoo at gmail.com>
wrote:
> I'm running up against a problem that seems to be related to SELinux.
> Any ideas?
If it's SELinux related, have a look at /var/log/audit/audit.log, that
will tell you what is being blocked in SELinux. That would be a good
start. Let us know what you found there, then we might be able to help
you a little more.

HTH,
Filipe