Slave DNS Manager Module and SeLinux

[Oto Tortorella]

Slave DNS Manager Module and SeLinux do not play toghether, i've been foced to disable SeLinux.

Thats the error I get in audit.log:

type=AVC msg=audit(1458142793.324:18067): avc:  denied  { append } for  pid=31882 comm="named" name="named.run" dev="dm-2" ino=1046563 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_conf_t:s0 tclass=file
type=SYSCALL msg=audit(1458142793.324:18067): arch=c000003e syscall=2 success=yes exit=7 a0=7f91c297dbb8 a1=441 a2=1b6 a3=24 items=0 ppid=1 pid=31882 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="named" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null)
type=AVC msg=audit(1458142793.377:18068): avc:  denied  { rename } for  pid=31882 comm="named" name="tmp-NjozbZZody" dev="dm-2" ino=1046564 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_conf_t:s0 tclass=file
type=SYSCALL msg=audit(1458142793.377:18068): arch=c000003e syscall=82 success=yes exit=0 a0=7f91bc6fb220 a1=7f91bc70d3d8 a2=7f91b8000078 a3=7f91be880ab0 items=0 ppid=1 pid=31882 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="named" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null)

I'm not an expert in selinux, someone has an advice^

Thank you

 

[Oto Tortorella]

Bump!

No idea on how to reactivate SELinux here?

 

[PriyanA]

you can run

audit2allow and generate SELinux policy allow rules from logs of denied operations.

No Need to Disable SELinux.

I run this forum,

http://selinuxforum.com/

 

[PriyanA]

again if you ain't sure about any other denial from SELinux, Please do not use audit2allow command, it may be SELinux doing its' job.

 

[AYamshanov]

Hi,

If you use SELinux and want to allow BIND to write the master zone files (generally this is used for dynamic DNS or zone transfers), you must turn on the named_write_master_zones boolean.

# getenforce
Enforcing
# getsebool named_write_master_zones
named_write_master_zones --> off
# setsebool -P named_write_master_zones 1
# getsebool named_write_master_zones
named_write_master_zones --> on

 

[Oto Tortorella]

Thank you,

I've set again SELinux to enforcing but now I get this kind of errors in /var/messages :

Mar 30 14:45:02 service named[11926]: zone mydomainname.com/IN: refresh: could not set file modification time of 'mydomainname.com': permission denied

and the zone is not updating.
If I disable SELinux it start working again.

What could be the reason?

 

[Oto Tortorella]

Just to add that in /var/audit/audit-log I get:

type=AVC msg=audit(1490878312.137:1921): avc:  denied  { setattr } for  pid=11927 comm="named" name="mydomainname.com" dev="dm-2" ino=1046598 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_conf_t:s0 tclass=file

But I'm not able to decode

 

[AYamshanov]

Did you restart `named` after change named_write_master_zones?

What OS do you use? Did you use chrooted named or not?

Could you post output of "ls -laZ /path/to/zonefiles"?