CentOS - Feb 2013 - Selinux blocking bind access to named/data and slave directories

I was getting permission errors (seen in /var/log/messages) in accessing 
these two directories within my chroot tree.  I was pulling out what 
little hair I have, as the permissions were identical to those on my 
Centos 5.5 server.  So I switched selinux into permissive mode and now I 
have /var/named/chroot/var/named/data/named.run and my ..../named/slave/ 
stubs.

What is the selinux magic to allow bind to write here?

Robert,

Send output of this two commands:

ps -eZ | grep named
ls -alZ into directorys that you want to allow bind to write


Att,

Frederico Madeira
fmadeira at gmail.com
www.madeira.eng.br


2013/2/14 Robert Moskowitz <rgm at htt-consult.com>
> I was getting permission errors (seen in /var/log/messages) in accessing
> these two directories within my chroot tree.  I was pulling out what
> little hair I have, as the permissions were identical to those on my
> Centos 5.5 server.  So I switched selinux into permissive mode and now I
> have /var/named/chroot/var/named/data/named.run and my ..../named/slave/
> stubs.
>
> What is the selinux magic to allow bind to write here?
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>

On 14/02/13 7:23 PM, Robert Moskowitz wrote:
> I was getting permission errors (seen in /var/log/messages) in accessing 
> these two directories within my chroot tree.  I was pulling out what 
> little hair I have, as the permissions were identical to those on my 
> Centos 5.5 server.  So I switched selinux into permissive mode and now I 
> have /var/named/chroot/var/named/data/named.run and my ..../named/slave/ 
> stubs.
> 
> What is the selinux magic to allow bind to write here?
Hi,

This may start a debate but it is my understanding that RH recommends to
not use chroot jails with bind as selinux is more secure.  For some
additional information see the following extract from the BIND 9 FAQ:

https://scs.senecac.on.ca/~raymond.chan/nad810/0701/SELinux-DNS.html

Right now I can't locate this on the new ISC website though.  There is
also an selinux section in the named(8) manual page, for example:

http://linux.die.net/man/8/named

which states pretty much the same.

If you wish to stay with chroot then the key is probably to install the
bind-chroot package and ensure that the ROOTDIR variable is set
correctly in:

/etc/sysconfig/named

For what its worth I'm running a number of master/slave DNS servers
under selinux no problems.  Any updates on the master propagates happily
to the slaves.  Mind you these are low traffic DNS servers that sit
behind a firewall.

Cheers
-pete

-- 
Peter Brady
Email: pdbrady at ans.com.au
Skype: pbrady77

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 937 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.centos.org/pipermail/centos/attachments/20130214/b6d817a3/attachment-0002.sig>

On 02/14/2013 11:09 PM, Peter Brady wrote:
> On 14/02/13 7:23 PM, Robert Moskowitz wrote:
>> I was getting permission errors (seen in /var/log/messages) in
accessing
>> these two directories within my chroot tree.  I was pulling out what
>> little hair I have, as the permissions were identical to those on my
>> Centos 5.5 server.  So I switched selinux into permissive mode and now
I
>> have /var/named/chroot/var/named/data/named.run and my
..../named/slave/
>> stubs.
>>
>> What is the selinux magic to allow bind to write here?
> Hi,
>
> This may start a debate but it is my understanding that RH recommends to
> not use chroot jails with bind as selinux is more secure.
Oh NO!!! A security debate!!!

Well this system is only for bind and as an internal ntp server, so 
maybe I can keep selinux on.  But then I am a communications security 
specialist not an OS security specialist, so I can't contribute as to 
which is more limiting on bind's access to things it should not see.
> For some additional information see the following extract from the BIND 9
FAQ:
>
> https://scs.senecac.on.ca/~raymond.chan/nad810/0701/SELinux-DNS.html
More reading.
> Right now I can't locate this on the new ISC website though.
A number of them are my IETF buddies, so I can (and will) ask them directly.
> There is also an selinux section in the named(8) manual page, for example:
>
> http://linux.die.net/man/8/named
>
> which states pretty much the same.
>
> If you wish to stay with chroot then the key is probably to install the
> bind-chroot package and ensure that the ROOTDIR variable is set
> correctly in:
>
> /etc/sysconfig/named
Done but that did not help with selinux and the named/data directory.
> For what its worth I'm running a number of master/slave DNS servers
> under selinux no problems.  Any updates on the master propagates happily
> to the slaves.  Mind you these are low traffic DNS servers that sit
> behind a firewall.
This will sit behind a firewall, but has an external view.  Another 
thing is I have to learn about supporting the 4096 possible UDP source 
ports on my firewall.  That is yet another thing to fix.  And STILL not 
yet to DNSSEC config.

I will probably rebuild the test box over the weekend and try without 
chroot.