Permissions Issue starting Bind 9.3.1

This is Interesting: Free IT Magazines Now Free shipping to California

Web Server Talk > Internet Protocols > DNS Bind > Permissions Issue starting Bind 9.3.1

Last Thread Next Thread Next

Permissions Issue starting Bind 9.3.1

Jason Williard

12-14-05 07:56 AM

I am using Bind 9.3.1 on RedHat Enterprise 4 which I installed using the
RPMs available by RedHat.  While it appears to load the zones properly, it
is unable to start completely due to permissions issues with the named.ca
and configuration file.  Below are the log entries:

Dec 13 18:11:57 ds01 named[1126]: starting BIND 9.3.1 -u named
Dec 13 18:11:57 ds01 named[1126]: found 1 CPU, using 1 worker thread
Dec 13 18:11:57 ds01 named[1126]: loading configuration from
'/etc/named.conf'
Dec 13 18:11:57 ds01 named[1126]: listening on IPv4 interface lo,
127.0.0.1#53
Dec 13 18:11:57 ds01 named[1126]: listening on IPv4 interface eth0,
67.x.x.x#53
Dec 13 18:11:57 ds01 named[1126]: listening on IPv4 interface eth1,
10.x.x.x#53
Dec 13 18:11:57 ds01 kernel: audit(1134519117.077:0): avc:  denied  { r
ead }
for  pid=1127 exe=/usr/sbin/named name=named.ca dev=sda5 ino=8717074
scontext=root:system_r:named_t tcontext=root:object_r:var_t tclass=file
Dec 13 18:11:57 ds01 named[1126]: could not configure root hints from
'named.ca': permission denied
Dec 13 18:11:57 ds01 named[1126]: loading configuration: permission deni
ed
Dec 13 18:11:57 ds01 named[1126]: exiting (due to fatal error)
Dec 13 18:11:57 ds01 named: named startup failed


As far as I can see, the permissions are set properly.  Here are the
permissions for the two files mentioned in the log entries above:

-rw-r--r--   1 named named  2518 Jul 26 02:40 named.ca
-rw-r-----   1 root named   7761 Dec 13 18:11 named.conf


Any ideas as to what is causing this?

Thank You,
Jason Williard

[ Post a follow-up to this message ]

Re: Permissions Issue starting Bind 9.3.1

Mark Andrews

12-14-05 07:56 AM


> I am using Bind 9.3.1 on RedHat Enterprise 4 which I installed using the
> RPMs available by RedHat.  While it appears to load the zones properly, it
> is unable to start completely due to permissions issues with the named.ca
> and configuration file.  Below are the log entries:
>
> Dec 13 18:11:57 ds01 named[1126]: starting BIND 9.3.1 -u named
> Dec 13 18:11:57 ds01 named[1126]: found 1 CPU, using 1 worker thread
> Dec 13 18:11:57 ds01 named[1126]: loading configuration from
> '/etc/named.conf'
> Dec 13 18:11:57 ds01 named[1126]: listening on IPv4 interface lo,
> 127.0.0.1#53
> Dec 13 18:11:57 ds01 named[1126]: listening on IPv4 interface eth0,
> 67.x.x.x#53
> Dec 13 18:11:57 ds01 named[1126]: listening on IPv4 interface eth1,
> 10.x.x.x#53
> Dec 13 18:11:57 ds01 kernel: audit(1134519117.077:0): avc:  denied  {
 read }
> for  pid=1127 exe=/usr/sbin/named name=named.ca dev=sda5 ino=8717074
> scontext=root:system_r:named_t tcontext=root:object_r:var_t tclass=file
> Dec 13 18:11:57 ds01 named[1126]: could not configure root hints from
> 'named.ca': permission denied
> Dec 13 18:11:57 ds01 named[1126]: loading configuration: permission de
nied
> Dec 13 18:11:57 ds01 named[1126]: exiting (due to fatal error)
> Dec 13 18:11:57 ds01 named: named startup failed
>
>
> As far as I can see, the permissions are set properly.  Here are the
> permissions for the two files mentioned in the log entries above:
>
> -rw-r--r--   1 named named  2518 Jul 26 02:40 named.ca
> -rw-r-----   1 root named   7761 Dec 13 18:11 named.conf
>
>
> Any ideas as to what is causing this?
>
> Thank You,
> Jason Williard

Stupid idiotic defaults for named in SELinux.

Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews@isc.org

[ Post a follow-up to this message ]

Re: Permissions Issue starting Bind 9.3.1

Jason Vas Dias

12-14-05 11:01 PM

On Tuesday 13 December 2005 22:05, Mark Andrews <Mark_Andrews@isc.org> wrote:
> 
>
>  	Stupid idiotic defaults for named in SELinux.
>
>  	Mark
>  --
>  Mark Andrews, ISC
>  1 Seymour St., Dundas Valley, NSW 2117, Australia
>  PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews@isc.org
>
>
>

Yes, as mentioned by Mark, this issue is caused by Red Hat's
terrific SELinux named security features, which remove the
need to run BIND in a chroot environment.

You need to ensure that your configuration files are located
where the SELinux policy expects to find them .

If you have bind-chroot installed, $ROOTDIR will be set in
/etc/sysconfig/named.

The SELinux policy expects to find the named configuration files here:

Location:                             Context (shown by ls -Z):
$ROOTDIR/etc/{named.conf,rndc.*}      system_u:object_r:named_conf_t
$ROOTDIR/var/named{,/*}               system_u:object_r:named_zone_t
$ROOTDIR/var/named/data{,/*}          system_u:object_r:named_cache_t
$ROOTDIR/var/named/slaves{,/*}        system_u:object_r:named_cache_t

If your files do not have the contexts as shown above, do:
# restorecon -R /etc /var/named

Check your named.conf 'options { directory ... };" setting to ensure
your zone files are in the locations expected by SELinux.

If you really want to put configuration files in a different location,
use
# chcon system_u:object_r:named_zone_t $my_zone_files
or
# chcon system_u:object_r:named_conf_t $my_conf_files

Named is allowed to write to named_cache_t files, but not to
named_zone_t or named_conf_t files by the SELinux policy. If
you have dynamically updateable or slave zone files, put them
in $ROOTDIR/var/named/slaves .
You can tell SELinux to allow zone file writes by setting the
tunable boolean 'named_write_master_zones' in
/etc/selinux/targeted/booleans .

If you've any further issues with using BIND on RHEL-4, please
raise a bugzilla:
https://bugzilla.redhat.com/bugzill...&component=bind
and I'll do my best to resolve them.

Thanks & Regards
Jason Vas Dias
Red Hat BIND package maintainer
Red Hat Inc.

[ Post a follow-up to this message ]