Hi,
I have a server running FC3 + selinux (targeted) and I had some problems with bind and dynamic DNS updates. This is how I fix it.
The first thing I noticed is that the named server was not able to create the Journal files for the zones I was trying to update
# ls -l /var/named/chroot/var total 24 drwxr-x--- 4 root named 4096 Dec 1 14:42 named drwxrwx--- 3 root named 4096 Nov 16 11:50 run drwxrwx--- 2 named named 4096 Mar 13 2003 tmp
because the user "named" (the one running the daemon) did not have access to create new files inside the named folder. I think this is a problem in the bind-chroot rmp package. I ran the following command to give the user named access to create new files inside the named folder
# chmod 770 /var/named/chroot/var/named # ls -l /var/named/chroot/var total 24 drwxrwx--- 4 root named 4096 Dec 1 14:42 named drwxrwx--- 3 root named 4096 Nov 16 11:50 run drwxrwx--- 2 named named 4096 Mar 13 2003 tmp
That fixed the problem. Now selinux!!!
When I try to update one of the zones I get the following error in /var/log/messages
---------------------------------------------------------------------- Dec 1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating zone 'example.com/IN': adding an RR
Dec 1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating zone 'example.com/IN': adding an RR
Dec 1 14:56:01 server named[22580]: journal file example.com.zone.jnl does not exist, creating it
Dec 1 14:56:01 server named[22580]: example.com.zone.jnl: create: permission denied
Dec 1 14:56:01 server kernel: audit(1101930961.025:0): avc: denied { write } for pid=22581 exe=/usr/sbin/named name=named dev=dm-0 ino=293768 scontext=root:system_r:named_t tcontext=system_u:object_r:named_zone_t tclass=dir
Dec 1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating zone 'example.com/IN': error: journal open failed: unexpected error ----------------------------------------------------------------------
I ran the "Security Level Configuration" tool and enabled "Allow named to overwrite master zone files" and that fixed the problem.
Without the ACL modifications of the folder /var/named/chroot/var/named the setting in the "Security Level Configuration" is useless. I hope this information helps somebody having the same problems...
RJB
On Thursday 02 December 2004 07:52, "Rogelio J. Baucells" rj@baucells.net wrote:
# chmod 770 /var/named/chroot/var/named
Please file a bugzilla requesting that the default permissions of the directory be changed to mode 0770.
Rogelio J. Baucells wrote:
Hi,
I have a server running FC3 + selinux (targeted) and I had some problems with bind and dynamic DNS updates. This is how I fix it.
The first thing I noticed is that the named server was not able to create the Journal files for the zones I was trying to update
# ls -l /var/named/chroot/var total 24 drwxr-x--- 4 root named 4096 Dec 1 14:42 named drwxrwx--- 3 root named 4096 Nov 16 11:50 run drwxrwx--- 2 named named 4096 Mar 13 2003 tmp
because the user "named" (the one running the daemon) did not have access to create new files inside the named folder. I think this is a problem in the bind-chroot rmp package. I ran the following command to give the user named access to create new files inside the named folder
# chmod 770 /var/named/chroot/var/named # ls -l /var/named/chroot/var total 24 drwxrwx--- 4 root named 4096 Dec 1 14:42 named drwxrwx--- 3 root named 4096 Nov 16 11:50 run drwxrwx--- 2 named named 4096 Mar 13 2003 tmp
That fixed the problem. Now selinux!!!
When I try to update one of the zones I get the following error in /var/log/messages
Dec 1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating zone 'example.com/IN': adding an RR
Dec 1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating zone 'example.com/IN': adding an RR
Dec 1 14:56:01 server named[22580]: journal file example.com.zone.jnl does not exist, creating it
Dec 1 14:56:01 server named[22580]: example.com.zone.jnl: create: permission denied
Dec 1 14:56:01 server kernel: audit(1101930961.025:0): avc: denied { write } for pid=22581 exe=/usr/sbin/named name=named dev=dm-0 ino=293768 scontext=root:system_r:named_t tcontext=system_u:object_r:named_zone_t tclass=dir
Dec 1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating zone 'example.com/IN': error: journal open failed: unexpected error
I ran the "Security Level Configuration" tool and enabled "Allow named to overwrite master zone files" and that fixed the problem.
Without the ACL modifications of the folder /var/named/chroot/var/named the setting in the "Security Level Configuration" is useless. I hope this information helps somebody having the same problems...
RJB
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
I think the prefered setup is to have the jnl files written to the var/named/run directory.
Dan
Daniel J Walsh wrote:
Rogelio J. Baucells wrote:
Hi,
I have a server running FC3 + selinux (targeted) and I had some problems with bind and dynamic DNS updates. This is how I fix it.
The first thing I noticed is that the named server was not able to create the Journal files for the zones I was trying to update
# ls -l /var/named/chroot/var total 24 drwxr-x--- 4 root named 4096 Dec 1 14:42 named drwxrwx--- 3 root named 4096 Nov 16 11:50 run drwxrwx--- 2 named named 4096 Mar 13 2003 tmp
because the user "named" (the one running the daemon) did not have access to create new files inside the named folder. I think this is a problem in the bind-chroot rmp package. I ran the following command to give the user named access to create new files inside the named folder
# chmod 770 /var/named/chroot/var/named # ls -l /var/named/chroot/var total 24 drwxrwx--- 4 root named 4096 Dec 1 14:42 named drwxrwx--- 3 root named 4096 Nov 16 11:50 run drwxrwx--- 2 named named 4096 Mar 13 2003 tmp
That fixed the problem. Now selinux!!!
When I try to update one of the zones I get the following error in /var/log/messages
Dec 1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating zone 'example.com/IN': adding an RR
Dec 1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating zone 'example.com/IN': adding an RR
Dec 1 14:56:01 server named[22580]: journal file example.com.zone.jnl does not exist, creating it
Dec 1 14:56:01 server named[22580]: example.com.zone.jnl: create: permission denied
Dec 1 14:56:01 server kernel: audit(1101930961.025:0): avc: denied { write } for pid=22581 exe=/usr/sbin/named name=named dev=dm-0 ino=293768 scontext=root:system_r:named_t tcontext=system_u:object_r:named_zone_t tclass=dir
Dec 1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating zone 'example.com/IN': error: journal open failed: unexpected error
I ran the "Security Level Configuration" tool and enabled "Allow named to overwrite master zone files" and that fixed the problem.
Without the ACL modifications of the folder /var/named/chroot/var/named the setting in the "Security Level Configuration" is useless. I hope this information helps somebody having the same problems...
RJB
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
I think the prefered setup is to have the jnl files written to the var/named/run directory.
Dan
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Hi,
Is there a setting in the named.conf to do that? I think the default is to store the jnl files in the same location as the zone files.
RJB
Rogelio J. Baucells wrote:
Daniel J Walsh wrote:
Rogelio J. Baucells wrote:
Hi,
I have a server running FC3 + selinux (targeted) and I had some problems with bind and dynamic DNS updates. This is how I fix it.
The first thing I noticed is that the named server was not able to create the Journal files for the zones I was trying to update
# ls -l /var/named/chroot/var total 24 drwxr-x--- 4 root named 4096 Dec 1 14:42 named drwxrwx--- 3 root named 4096 Nov 16 11:50 run drwxrwx--- 2 named named 4096 Mar 13 2003 tmp
because the user "named" (the one running the daemon) did not have access to create new files inside the named folder. I think this is a problem in the bind-chroot rmp package. I ran the following command to give the user named access to create new files inside the named folder
# chmod 770 /var/named/chroot/var/named # ls -l /var/named/chroot/var total 24 drwxrwx--- 4 root named 4096 Dec 1 14:42 named drwxrwx--- 3 root named 4096 Nov 16 11:50 run drwxrwx--- 2 named named 4096 Mar 13 2003 tmp
That fixed the problem. Now selinux!!!
When I try to update one of the zones I get the following error in /var/log/messages
Dec 1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating zone 'example.com/IN': adding an RR
Dec 1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating zone 'example.com/IN': adding an RR
Dec 1 14:56:01 server named[22580]: journal file example.com.zone.jnl does not exist, creating it
Dec 1 14:56:01 server named[22580]: example.com.zone.jnl: create: permission denied
Dec 1 14:56:01 server kernel: audit(1101930961.025:0): avc: denied { write } for pid=22581 exe=/usr/sbin/named name=named dev=dm-0 ino=293768 scontext=root:system_r:named_t tcontext=system_u:object_r:named_zone_t tclass=dir
Dec 1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating zone 'example.com/IN': error: journal open failed: unexpected error
I ran the "Security Level Configuration" tool and enabled "Allow named to overwrite master zone files" and that fixed the problem.
Without the ACL modifications of the folder /var/named/chroot/var/named the setting in the "Security Level Configuration" is useless. I hope this information helps somebody having the same problems...
RJB
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
I think the prefered setup is to have the jnl files written to the var/named/run directory.
Dan
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Hi,
Is there a setting in the named.conf to do that? I think the default is to store the jnl files in the same location as the zone files.
Yes I was wrong, Jason explained to me what is going on, so I believe you set it up correctly to handle your situation.
RJB
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Hi -
Yes, for added security, named must be explicitly enabled to update its master zone files with the 'named_write_master_zones=1' setting in /etc/selinux/targeted/booleans and by granting write access to the 'named' user for the directory in which dynamically updated zone files are stored. Named will always create .jnl files in the same directory as the zone to be updated. One solution would be to put the dynamically updated zones in a 'ddns/' subdirectory of the $ROOTDIR/var/named and make that directory owned by named:named; then for each dynamically updated zone X, set the 'file ' option in named.conf to 'ddns/X.db' . A decision was made not to enable named to write its zone files by default to prevent attackers gaining control of the named process being able to change the zone file contents.
On Thu, 2004-12-02 at 08:48, Daniel J Walsh wrote:
Rogelio J. Baucells wrote:
Hi,
I have a server running FC3 + selinux (targeted) and I had some problems with bind and dynamic DNS updates. This is how I fix it.
The first thing I noticed is that the named server was not able to create the Journal files for the zones I was trying to update
# ls -l /var/named/chroot/var total 24 drwxr-x--- 4 root named 4096 Dec 1 14:42 named drwxrwx--- 3 root named 4096 Nov 16 11:50 run drwxrwx--- 2 named named 4096 Mar 13 2003 tmp
because the user "named" (the one running the daemon) did not have access to create new files inside the named folder. I think this is a problem in the bind-chroot rmp package. I ran the following command to give the user named access to create new files inside the named folder
# chmod 770 /var/named/chroot/var/named # ls -l /var/named/chroot/var total 24 drwxrwx--- 4 root named 4096 Dec 1 14:42 named drwxrwx--- 3 root named 4096 Nov 16 11:50 run drwxrwx--- 2 named named 4096 Mar 13 2003 tmp
That fixed the problem. Now selinux!!!
When I try to update one of the zones I get the following error in /var/log/messages
Dec 1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating zone 'example.com/IN': adding an RR
Dec 1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating zone 'example.com/IN': adding an RR
Dec 1 14:56:01 server named[22580]: journal file example.com.zone.jnl does not exist, creating it
Dec 1 14:56:01 server named[22580]: example.com.zone.jnl: create: permission denied
Dec 1 14:56:01 server kernel: audit(1101930961.025:0): avc: denied { write } for pid=22581 exe=/usr/sbin/named name=named dev=dm-0 ino=293768 scontext=root:system_r:named_t tcontext=system_u:object_r:named_zone_t tclass=dir
Dec 1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating zone 'example.com/IN': error: journal open failed: unexpected error
I ran the "Security Level Configuration" tool and enabled "Allow named to overwrite master zone files" and that fixed the problem.
Without the ACL modifications of the folder /var/named/chroot/var/named the setting in the "Security Level Configuration" is useless. I hope this information helps somebody having the same problems...
RJB
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
I think the prefered setup is to have the jnl files written to the var/named/run directory.
Dan
Helo List,
i have a problem sending mail from php script.
audit(1101900916.389:0): avc: denied { getattr } for pid=18363 exe=/bin/bash path=/usr/sbin/sendmail.postfix dev=md0 ino=7518272 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:sbin_t tclass=file
Everything other works very good with SELinux.
System FC3 Postfix, SELinux enforcing, targeted.
Thank you for any help.
Edy Corak wrote:
Helo List,
i have a problem sending mail from php script.
audit(1101900916.389:0): avc: denied { getattr } for pid=18363 exe=/bin/bash path=/usr/sbin/sendmail.postfix dev=md0 ino=7518272 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:sbin_t tclass=file
Everything other works very good with SELinux.
System FC3 Postfix, SELinux enforcing, targeted.
Thank you for any help.
Update to the latest policy, should fix this problem.
Dan
Daniel J Walsh wrote:
Edy Corak wrote:
Helo List,
i have a problem sending mail from php script.
audit(1101900916.389:0): avc: denied { getattr } for pid=18363 exe=/bin/bash path=/usr/sbin/sendmail.postfix dev=md0 ino=7518272 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:sbin_t tclass=file
Everything other works very good with SELinux.
System FC3 Postfix, SELinux enforcing, targeted.
Thank you for any help.
Update to the latest policy, should fix this problem.
Dan
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Thank you very much for your prompt answer.
I have updated the policy-targeted to 1.17.30-2.39 but it's the same problem, no chance to send mail from php script.
audit(1102024220.525:0): avc: denied { getattr } for pid=8178 exe=/bin/bash path=/usr/sbin/sendmail.postfix dev=md0 ino=7513871 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:sbin_t tclass=file
I look at the policy-targeted-source under file_contexts in postfix.fc there is sendmail.postfix labeled as /usr/sbin/sendmail.postfix -- system_u:object_r:sendmail_exec_t
and under /usr/sbin as system_u:object_r:sbin_t sendmail.postfix
rpm -q -l postfix | restorecon -R -v -f - changes to system_u:object_r:sbin_t sendmail.postfix
which of them is correct ?
Sorry for my bad reply before, next time i start i will right click to new.
Thank you very much
Edy
Edy Corak wrote:
Daniel J Walsh wrote:
Edy Corak wrote:
Helo List,
i have a problem sending mail from php script.
audit(1101900916.389:0): avc: denied { getattr } for pid=18363 exe=/bin/bash path=/usr/sbin/sendmail.postfix dev=md0 ino=7518272 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:sbin_t tclass=file
Everything other works very good with SELinux.
System FC3 Postfix, SELinux enforcing, targeted.
Thank you for any help.
Update to the latest policy, should fix this problem.
Dan
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Thank you very much for your prompt answer.
I have updated the policy-targeted to 1.17.30-2.39 but it's the same problem, no chance to send mail from php script.
audit(1102024220.525:0): avc: denied { getattr } for pid=8178 exe=/bin/bash path=/usr/sbin/sendmail.postfix dev=md0 ino=7513871 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:sbin_t tclass=file
I look at the policy-targeted-source under file_contexts in postfix.fc there is sendmail.postfix labeled as /usr/sbin/sendmail.postfix -- system_u:object_r:sendmail_exec_t
and under /usr/sbin as system_u:object_r:sbin_t sendmail.postfix
rpm -q -l postfix | restorecon -R -v -f - changes to system_u:object_r:sbin_t sendmail.postfix
which of them is correct ?
Sorry for my bad reply before, next time i start i will right click to new.
Thank you very much
Edy
Ok I see the problem. It will be fixed in selinux-policy-targeted-1.17.30-2.41 It is already fixed in rawhide (selinux-policy-targeted-1.19.8-1)
Daniel J Walsh wrote:
Edy Corak wrote:
Daniel J Walsh wrote:
Edy Corak wrote:
Helo List,
i have a problem sending mail from php script.
audit(1101900916.389:0): avc: denied { getattr } for pid=18363 exe=/bin/bash path=/usr/sbin/sendmail.postfix dev=md0 ino=7518272 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:sbin_t tclass=file
Everything other works very good with SELinux.
System FC3 Postfix, SELinux enforcing, targeted.
Thank you for any help.
Update to the latest policy, should fix this problem.
Dan
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Thank you very much for your prompt answer.
I have updated the policy-targeted to 1.17.30-2.39 but it's the same problem, no chance to send mail from php script.
audit(1102024220.525:0): avc: denied { getattr } for pid=8178 exe=/bin/bash path=/usr/sbin/sendmail.postfix dev=md0 ino=7513871 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:sbin_t tclass=file
I look at the policy-targeted-source under file_contexts in postfix.fc there is sendmail.postfix labeled as /usr/sbin/sendmail.postfix -- system_u:object_r:sendmail_exec_t
and under /usr/sbin as system_u:object_r:sbin_t sendmail.postfix
rpm -q -l postfix | restorecon -R -v -f - changes to system_u:object_r:sbin_t sendmail.postfix
which of them is correct ?
Sorry for my bad reply before, next time i start i will right click to new.
Thank you very much
Edy
Ok I see the problem. It will be fixed in selinux-policy-targeted-1.17.30-2.41 It is already fixed in rawhide (selinux-policy-targeted-1.19.8-1)
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
OK I will wait for the update.
Thank you very much for your help.
Edy
On Thursday 02 December 2004 01:34 pm, Edy Corak wrote:
Helo List,
i have a problem sending mail from php script.
audit(1101900916.389:0): avc: denied { getattr } for pid=18363 exe=/bin/bash path=/usr/sbin/sendmail.postfix dev=md0 ino=7518272 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:sbin_t tclass=file
Everything other works very good with SELinux.
System FC3 Postfix, SELinux enforcing, targeted.
Thank you for any help.
Hi,
Please don't start a new thread in someone elses thread.
I know you changed the subject line, but that does not remove the old thread, as that information is stored in the header of the email.
The correct way to save keystrokes is not to change the subject but to right click on the list name and selecting New.
Thanks,
On Thu, 02 Dec 2004 16:23:55 EST, steve szmidt said:
The correct way to save keystrokes is not to change the subject but to right click on the list name and selecting New.
Oddly enough, right clicking on the list name and selecting New doesn't seem to work in my exmh client.... ;)
Apparently, based on the X-Mailers, you sent your message with KMail/1.6.1, while Edy posted with Thunderbird 0.9.
Not being a Thunderbird user, I have no way of knowing if your advice to Edy is correct - but it's certainly *incorrect* for at least some readers of this list...
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Edy Corak -
Jason Vas Dias -
Rogelio J. Baucells -
Russell Coker -
steve szmidt -
Valdis.Kletnieks@vt.edu