Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: [SELinux] Problem with Bind 9
Special Forums Cybersecurity [SELinux] Problem with Bind 9 Post 302750533 by Anibal on Tuesday 1st of January 2013 07:39:16 PM
Old 01-01-2013
[SELinux] Problem with Bind 9
Hi, I can not start named service:
Code:
/etc/init.d/named start
Iniciando named: 
Error in named configuration:
zone default.domain/IN: loading from master file /home/admin/conf/dns/default.domain.db failed: permission denied
zone default.domain/IN: not loaded due to errors.
_default/default.domain/IN: permission denied

If change selinux to permissive mode (setenforce 0) => named start.

Ok, then see denials:
Code:
# sealert -a /var/log/audit/audit.log
SELinux is preventing /usr/sbin/named-checkconf from read access on the archivo default.domain.db.

# ausearch -m avc -c named
----
time->Tue Jan  1 20:18:15 2013
type=SYSCALL msg=audit(1357082295.592:26312): arch=c000003e syscall=2 success=yes exit=3 a0=7fa1e3d1f018 
a1=0 a2=1b6 a3=0 items=0 ppid=6128 pid=6133 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 
ses=1 comm="named-checkconf" exe="/usr/sbin/named-checkconf" subj=unconfined_u:system_r:named_t:s0 key=(null)
type=AVC msg=audit(1357082295.592:26312): avc:  denied  { open } for  pid=6133 comm="named-checkconf" name="default.domain.db" 
dev=dm-0 ino=8615 scontext=unconfined_u:system_r:named_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1357082295.592:26312): avc:  denied  { read } for  pid=6133 comm="named-checkconf" name="default.domain.db" 
dev=dm-0 ino=8615 scontext=unconfined_u:system_r:named_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file

Then switch contexts:
Code:
# semanage fcontext -a -t named_zone_t '/home/admin/conf/dns(/.*)?'
# restorecon -F -R -v /home/admin/conf
# ls -dZ /home/admin/conf/dns/
drwxr-x--x. root root system_u:object_r:named_zone_t:s0 /home/admin/conf/dns/
# ls -Z /home/admin/conf/dns/
-rw-r-----. root named system_u:object_r:named_zone_t:s0 
# setenforce 1

But the problem is the same

The funny thing is that if I change to permissive mode and do:
Code:
# sealert -a /var/log/audit/audit.log  
100% donefound 0 alerts in /var/log/audit/audit.log 
# ausearch-m avc-c named 
<not matches>

What is the problem?

---------- Post updated at 07:39 PM ---------- Previous update was at 06:38 PM ----------

Ok, the problem was the context type of directory that contains /dns. The proper context must be var_t:
Test 1:
chcon -t var_t /home/admin/conf
named not start
Test 2:
chcon -t var_t /home/admin
named not start
Test 3:
chcon -t var_t /home
named start!!

Conclusion:
Zone database files must be located in the var directory, so that SELinux allows access.
Last edited by Anibal; 01-01-2013 at 08:09 PM..
 

9 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

SElinux

I am on a fedora core 2.6.9-1.677 i686 which is selinux enabled unlike the version I was on before .. which had to be manually enabled ..and if you knew nothing of the sort you were lost.. that was the case for me anyway! like i was saying ... now I am on a system that is enabled I have just... (1 Reply)
Discussion started by: moxxx68
1 Replies

2. Linux

fedora core 2 selinux problem

in fedora core 2 with enforcing mode in selinux , why even as a root OS doesnt give permission to create any directory or file in /home ? (1 Reply)
Discussion started by: the.last.soul
1 Replies

3. Shell Programming and Scripting

Perl DBI - Bind Parameters Problem

I have a SQL statement that includes a UNION that I can't get to work when I bind the parameters. (I am binding the parameters to prevent SQL injection.) Does anybody have any suggestion on how I can use a SQL statement that includes a UNION and bind the params? Code would be something like... (1 Reply)
Discussion started by: mh53j_fe
1 Replies

4. Linux

BIND problem in Fedora Core

Hi , I am facing a strange with BIND in Fedora Core 6. Here is the config for more info. #cat /etc/named.caching-nameserver.conf options { listen-on port 53 { any; }; directory "/var/named"; // dump-file "/var/named/data/cache_dump.db"; ... (3 Replies)
Discussion started by: narasimhulu
3 Replies

5. UNIX for Advanced & Expert Users

Bind Problem

Hi all, I've 2 Debian Etch (4) box used as ns1 and ns2 with BIND9. My domain name is something like this: subdomain.domain.com And I've 2 authorized DNS servers for the subdomain. I set this line in both of ns1 and ns2 (I.e. in ns1.subdomain.domain.com and ns2.subdomain.domain.com): cw ... (1 Reply)
Discussion started by: mjdousti
1 Replies

6. Red Hat

selinux --disabled

Hi All, Will some one kindly explian below ? selinux What is the effect of installing a server using this kickstart option as follows: selinux --enforcing and selinux --disabled (1 Reply)
Discussion started by: sri243
1 Replies

7. Red Hat

Problem to bind to local ports on Fedora 13

A problem with binding to local ports (22,23,80) in Fedora 13. Ports look not used. sshd, webserver is not running. I am using java remote connection manager. It is working fine with IE or Firefox in Windows with any user account. With Fedora 13, it starts via Firefox with not root account and... (0 Replies)
Discussion started by: gogogo
0 Replies

8. UNIX and Linux Applications

A little help with seLinux

Situation: installed on Centos6.4 this samba4 package samba4-4.0.1-4.centos6.1.x86_64(wich had the path /usr/share/samba4 /var/lock/samba4,etc) I use selinux so i put in context /var/lock/samba4 -d system_u:object_r:samba_var_t:s0 /var/lock/samba4/.* -- ... (3 Replies)
Discussion started by: Linusolaradm1
3 Replies

9. Red Hat

SeLinux permission question

Hi, in /etc/httpd/conf/httpd.conf #DocumentRoot "/var/www/html" DocumentRoot "/home/phpmy/html" when I restarted httpd # /etc/init.d/httpd restart Stopping httpd: Starting httpd: Syntax error on line 293 of /etc/httpd/conf/httpd.conf:... (0 Replies)
Discussion started by: jediwannabe
0 Replies
All times are GMT -4. The time now is 08:45 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy