bind chrooted, logging and SELinux = suffering
This is a discussion on bind chrooted, logging and SELinux = suffering within the Bind Users forums, part of the DNS and Related Forums category; Hi, I'm running Bind 9.2.4 chrooted (bind-chroot.rpm, directory /var/named/chroot/) on a RedHat 4EL ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
06-01-2005
|
|||
|
|||
bind chrooted, logging and SELinux = suffering
Hi,
I'm running Bind 9.2.4 chrooted (bind-chroot.rpm, directory /var/named/chroot/) on a RedHat 4EL server, with SELinux enforced. After a lot of trouble (solved!) with slave zone transfers (take a look to message "Solution to slave zone transfer problem", by Jason Vas Dias <jvdias@redhat.com>), I get always the same error while trying to log to other file than /dev/log: logging { channel seclog { file "/var/log/dns-sec.log" versions 5 size 1m; print-time yes; print-category yes; }; category xfer-out { seclog; }; category security { seclog; }; category lame-servers { null; }; }; # ls -l /var/named/chroot/ drwxrwxr-- 2 root named 4096 May 31 14:50 dev drwxrwx--- 2 root named 4096 Jun 1 15:57 etc drwxrwx--- 6 root named 4096 May 31 15:18 var # ls -l /var/named/chroot/var drwxrwx--- 2 named named 4096 May 31 15:18 log drwxrwx--- 4 root named 4096 Jun 1 15:19 named drwxrwx--- 3 root named 4096 May 30 16:03 run drwxrwx--- 2 named named 4096 May 31 17:31 tmp # ls -l /var/named/chroot/var/log -rw-rw---- 1 named named 0 May 31 15:18 dns-sec.log # tail -f /var/log/messages Jun 1 15:40:03 dexter named[29371]: loading configuration from /etc/named.conf' Jun 1 15:40:03 dexter named[29371]: logging channel 'seclog' file '/var/log/dns-sec.log': permission denied Jun 1 15:40:03 dexter kernel: audit(1117633203.103:0): avc: denied { append } for pid=29372 exe=/usr/sbin/named name=dns-sec.log dev=md2 ino=3801110 scontext=root:system_r:named_t tcontext=root:object_r:named_conf_t tclass=file Jun 1 15:40:03 dexter named: named reload succeeded I think SELinux is causing a lot of problems. How can I disable all of these constraints without shutting it off? How is it possible that RedHat is not concerned abot an official RPM *NOT* working because of conflicts with other default configurations?? Did anybody else got these pains in the a*s? I'm really disgrunted. How can we encourage security when the only way out is no-security?? Thanks -- ------------------------- Mariano Cunietti System Administrator Enter S.r.l. Via Stefanardo da Vimercate, 28 20128 - Milano - Italy Tel. +39 02 25514319 Fax +39 02 25514303 mcunietti@enter.it www.enter.it - www.enterpoint.it --------------------------- Gruppo Y2K - www.gruppoy2k.it 
|
Linear Mode
