Re: bind chrooted, logging and SELinux = suffering

This is a discussion on Re: bind chrooted, logging and SELinux = suffering within the Bind Users forums, part of the DNS and Related Forums category; Thanks Jason, you've been very helpful. I was paying more attention while reading RedHat SELinux implementation and usage man ...


Go Back   Usenet Forums > DNS and Related Forums > Bind Users

Reload this Page Re: bind chrooted, logging and SELinux = suffering

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 06-01-2005
Mariano Cunietti
 
Posts: n/a
Default Re: bind chrooted, logging and SELinux = suffering
Thanks Jason,
you've been very helpful.
I was paying more attention while reading RedHat SELinux implementation
and usage man pages on
http://www.redhat.com/docs/manuals/e...selinux-guide/

Though SELinux is not very friendly at first glance, I'm starting to
undergo his apparent difficulties. I found it very interesting.

So, my fault: I've been too lazy to read and too fast to write.
I'm happy to hear that many workarounds (as bind-chroot is) won't be
necessary anymore.

Now, let's go on reading ;-)
Bye

Mariano

On Wed, 2005-06-01 at 17:46, Jason Vas Dias wrote:
> On Wed, 2005-06-01 at 10:06, Mariano Cunietti wrote:
> > Hi,
> > I'm running Bind 9.2.4 chrooted (bind-chroot.rpm, directory
> > /var/named/chroot/) on a RedHat 4EL server, with SELinux enforced.
> > After a lot of trouble (solved!) with slave zone transfers (take a look
> > to message "Solution to slave zone transfer problem", by Jason Vas Dias
> > <jvdias@redhat.com>), I get always the same error while trying to log to
> > other file than /dev/log:
> >
> > logging {
> > channel seclog {
> > file "/var/log/dns-sec.log" versions 5 size 1m;
> > print-time yes; print-category yes;
> > };
> > category xfer-out { seclog; };
> > category security { seclog; };
> > category lame-servers { null; };
> > };
> >
> > # ls -l /var/named/chroot/
> > drwxrwxr-- 2 root named 4096 May 31 14:50 dev
> > drwxrwx--- 2 root named 4096 Jun 1 15:57 etc
> > drwxrwx--- 6 root named 4096 May 31 15:18 var
> >
> > # ls -l /var/named/chroot/var
> > drwxrwx--- 2 named named 4096 May 31 15:18 log
> > drwxrwx--- 4 root named 4096 Jun 1 15:19 named
> > drwxrwx--- 3 root named 4096 May 30 16:03 run
> > drwxrwx--- 2 named named 4096 May 31 17:31 tmp
> >
> > # ls -l /var/named/chroot/var/log
> > -rw-rw---- 1 named named 0 May 31 15:18 dns-sec.log
> >
> > # tail -f /var/log/messages
> >
> > Jun 1 15:40:03 dexter named[29371]: loading configuration from
> > /etc/named.conf'
> > Jun 1 15:40:03 dexter named[29371]: logging channel 'seclog' file
> > '/var/log/dns-sec.log': permission denied
> > Jun 1 15:40:03 dexter kernel: audit(1117633203.103:0): avc: denied {
> > append } for pid=29372 exe=/usr/sbin/named name=dns-sec.log dev=md2
> > ino=3801110 scontext=root:system_r:named_t
> > tcontext=root:object_r:named_conf_t tclass=file
> > Jun 1 15:40:03 dexter named: named reload succeeded
> >
> >
> > I think SELinux is causing a lot of problems. How can I disable all of
> > these constraints without shutting it off? How is it possible that
> > RedHat is not concerned abot an official RPM *NOT* working because of
> > conflicts with other default configurations??
> > Did anybody else got these pains in the a*s?
> >
> > I'm really disgrunted. How can we encourage security when the only way
> > out is no-security??
> >
> > Thanks
> >
> If you have problems with the Red Hat BIND distribution, please report
> them through bugzilla.redhat.com .
>
> By default, Red Hat ships BIND with maximum security protection enabled,
> to counter known security vulnerabilities as mandated by our security
> response team.
>
> You are free to disable the SELinux BIND security protection completely:
>
> # chcon -R system_u:object_r:sbin_t /usr/sbin/named /usr/sbin/rndc
> # chown -R named:named /var/named
>
> A better solution would be to work within the SELinux named policy for
> new files you want bind to create / write - for example, to enable
> writing to a /var/named/chroot/log directory as in your case:
>
> # mkdir /var/named/chroot/log
> # chown named:named /var/named/chroot/log
> # chcon -R system_u:object_r:named_cache_t /var/named/chroot/log
>
> Also, bear in mind that the need for the chroot environment is
> removed by use of SELinux: SELinux policy is far more secure than
> the chroot environment. You can "rpm -e bind-chroot" and then use
> SELinux to enforce security for the /var/named directory.
>
> I've attached the "NOTES" section from the named man-page in
> the latest version of the Red Hat BIND distribution which
> explains SELinux BIND administration issues:
>
> NOTES
> Red Hat SELinux BIND Security Profile:
>
> By default, Red Hat ships BIND with the most secure SELinux policy that
> will not prevent normal BIND operation and will prevent exploitation of
> all known BIND security vulnerabilities . See the selinux(8) man page
> for information about SElinux.
>
> It is not necessary to run named in a chroot environment if the Red Hat
> SELinux policy for named is enabled. When enabled, this policy is far
> more secure than a chroot environment. Users are recommended to enable
> SELinux and remove the bind-chroot package.
>
> With this extra security comes some restrictions:
>
> By default, the SELinux policy does not allow named to write any master
> zone database files. Only the root user may create files in the $ROOT-
> DIR/var/named zone database file directory (the options { "directory" }
> option), where $ROOTDIR is set in /etc/sysconfig/named.
>
> The "named" group must be granted read privelege to these files in
> order for named to be enabled to read them.
>
> Any file created in the zone database file directory is automatically
> assigned the SELinux file context named_zone_t .
>
> By default, SELinux prevents any role from modifying named_zone_t
> files; this means that files in the zone database directory cannot be
> modified by dynamic DNS (DDNS) updates or zone transfers.
>
> The Red Hat BIND distribution and SELinux policy creates two directo-
> ries where named is allowed to create and modify files: $ROOT-
> DIR/var/named/slaves and $ROOTDIR/var/named/data. By placing files you
> want named to modify, such as slave or DDNS updateable zone files and
> database / statistics dump files in these directories, named will work
> normally and no further operator action is required. Files in these
> directories are automatically assigned the ˙named_cache_t˙ file con-
> text, which SELinux allows named to write.
>
> You can enable the named_t domain to write and create named_zone_t
> files by use of the SELinux tunable boolean variable "named_write_mas-
> ter_zones", using the setsebool(8) command or the system-config-secu-
> rity GUI . If you do this, you must also set the ENABLE_ZONE_WRITE
> variable in /etc/sysconfig/named to 1 / yes to set the ownership of
> files in the $ROOTDIR/var/named directory to named:named in order for
> named to be allowed to write them.
--
-------------------------
Mariano Cunietti
System Administrator
Enter S.r.l.
Via Stefanardo da Vimercate, 28
20128 - Milano - Italy
Tel. +39 02 25514319
Fax +39 02 25514303
mcunietti@enter.it
www.enter.it - www.enterpoint.it
---------------------------
Gruppo Y2K - www.gruppoy2k.it


Reply With Quote
Reply

« Previous Thread | Next Thread »

Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 05:30 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0