-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Edward Kuns wrote:
I have dhcp + named set up to cooperate, but selinux (understandably) denies named write access to the files it needs to modify for dynamic dns updates. I have created the following policy. Is there a better way of doing this? Best would be if there was a way to allow write access *only* to those handful of files in /var/named/chroot/var/named that are truly dynamic, perhaps by labeling. Would it be possible or reasonable to add named_dynamic_zone_t or some equivalent? Is there a better way to solve this problem or am I missing some already-available mechanism?
Thanks
Eddiemodule mybind 1.0;
require { type named_t; type named_zone_t; class file write; }
#============= named_t ============== allow named_t named_zone_t:file write;
There is currently a boolean to allow this.
getsebool named_write_master_zones
man named_selinux
will give further explanation.