Knowledge Base ISC Main Website Ask a Question/Contact ISC
Why can't named update slave zone database files, slave journal files and master zones from journals?
Author: ISC Support Reference Number: AA-00320 Views: 9974 Created: 2011-05-16 18:13 Last Updated: 2017-02-23 22:44 0 Rating/ Voters


It is not known which versions of Red Hat Enterprise Linux (RHEL), SELinux, and Fedora Core that the problem addressed by this article applies to.

The article may also sometimes apply to SELinux in other distributions.

This is a problem that has been reported when running BIND on Red Hat Enterprise Linux or Fedora Core. Specifically problems are encountered with updating slave zone database files, creating DDNS journal files and updating master zones from journals. It also manifests itself as named being unable to create custom log files.

Red Hat Security Enhanced Linux (SELinux) policy security protections :

Red Hat have adopted the National Security Agency's SELinux security policy (see http://www.nsa.gov/research/selinux/index.shtml) and recommendations for BIND security , which are more secure than running named in a chroot and make use of the bind-chroot environment unnecessary .

By default, named is not allowed by the SELinux policy to write, create or delete any files EXCEPT in these directories:

$ROOTDIR/var/named/slaves$ROOTDIR/var/named/data$ROOTDIR/var/tmp

where $ROOTDIR may be set in /etc/sysconfig/named if bind-chroot is installed.

 

The SELinux policy particularly does NOT allow named to modify the $ROOTDIR/var/named directory, the default location for master zone database files.

SELinux policy overrules file access permissions - so even if all the files under /var/named have ownership named:named and mode rw-rw-r--, named will still not be able to write or create files except in the directories above, with SELinux in Enforcing mode.

So, to allow named to update slave or DDNS zone files, it is best to locate them in $ROOTDIR/var/named/slaves, with named.conf zone statements such as:

zone "slave.zone." IN { type slave; file "slaves/slave.zone.db"; ...}; zone "ddns.zone." IN { type master; allow-updates {...}; file "slaves/ddns.zone.db";};

 

To allow named to create its cache dump and statistics files, for example, you could use named.conf options statements such as:

options { ... dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; ...};

 

You can also tell SELinux to allow named to update any zone database files, by setting the SELinux tunable boolean parameter 'named_write_master_zones=1', using the system-config-securitylevel GUI, using the 'setsebool' command, or in /etc/selinux/targeted/booleans.

You can disable SELinux protection for named entirely by setting the 'named_disable_trans=1' SELinux tunable boolean parameter.

The SELinux named policy defines these SELinux contexts for named:

named_zone_t : for zone database files - $ROOTDIR/var/named/*named_conf_t : for named configuration files - $ROOTDIR/etc/{named,rndc}.*named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,data}}

 

If you want to retain use of the SELinux policy for named, and put named files in different locations, you can do so by changing the context of the custom file locations .

To create a custom configuration file location, e.g. '/root/named.conf', to use with the 'named -c' option, do:

# chcon system_u:object_r:named_conf_t /root/named.conf

 

To create a custom modifiable named data location, e.g. '/var/log/named' for a log file, do:

# chcon system_u:object_r:named_cache_t /var/log/named

 

To create a custom zone file location, e.g. /root/zones/, do:

# chcon system_u:object_r:named_zone_t /root/zones/{.,*}

 

See these man-pages for more information : selinux(8), named_selinux(8), chcon(1), setsebool(8)


© 2001-2017 Internet Systems Consortium

For assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.

ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.

Feedback
  • There is no feedback for this article
Quick Jump Menu