• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Slave DNS Manager Module and SeLinux

O

Oto Tortorella

Basic Pleskian
Slave DNS Manager Module and SeLinux do not play toghether, i've been foced to disable SeLinux.

Thats the error I get in audit.log:
Code: 
type=AVC msg=audit(1458142793.324:18067): avc:  denied  { append } for  pid=31882 comm="named" name="named.run" dev="dm-2" ino=1046563 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_conf_t:s0 tclass=file
type=SYSCALL msg=audit(1458142793.324:18067): arch=c000003e syscall=2 success=yes exit=7 a0=7f91c297dbb8 a1=441 a2=1b6 a3=24 items=0 ppid=1 pid=31882 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="named" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null)
type=AVC msg=audit(1458142793.377:18068): avc:  denied  { rename } for  pid=31882 comm="named" name="tmp-NjozbZZody" dev="dm-2" ino=1046564 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_conf_t:s0 tclass=file
type=SYSCALL msg=audit(1458142793.377:18068): arch=c000003e syscall=82 success=yes exit=0 a0=7f91bc6fb220 a1=7f91bc70d3d8 a2=7f91b8000078 a3=7f91be880ab0 items=0 ppid=1 pid=31882 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="named" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null)
I'm not an expert in selinux, someone has an advice^

Thank you
 
again if you ain't sure about any other denial from SELinux, Please do not use audit2allow command, it may be SELinux doing its' job.
 
Last edited:
Hi,

If you use SELinux and want to allow BIND to write the master zone files (generally this is used for dynamic DNS or zone transfers), you must turn on the named_write_master_zones boolean.

# getenforce
Enforcing
# getsebool named_write_master_zones
named_write_master_zones --> off
# setsebool -P named_write_master_zones 1
# getsebool named_write_master_zones
named_write_master_zones --> on

 
Thank you,

I've set again SELinux to enforcing but now I get this kind of errors in /var/messages :
Code: 
Mar 30 14:45:02 service named[11926]: zone mydomainname.com/IN: refresh: could not set file modification time of 'mydomainname.com': permission denied

and the zone is not updating.
If I disable SELinux it start working again.

What could be the reason?
 
Just to add that in /var/audit/audit-log I get:
Code: 
type=AVC msg=audit(1490878312.137:1921): avc:  denied  { setattr } for  pid=11927 comm="named" name="mydomainname.com" dev="dm-2" ino=1046598 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_conf_t:s0 tclass=file

But I'm not able to decode :)
 
Did you restart `named` after change named_write_master_zones?

What OS do you use? Did you use chrooted named or not?

Could you post output of "ls -laZ /path/to/zonefiles"?
 
You must log in or register to reply here.

Similar threads

danami
Forwarded to devs SELinux errors due to ARC mail handler
Replies
2
Views
909
Kaspar@Plesk
Kaspar@Plesk
carini
Question network.audit in journal log
Replies
2
Views
362
carini
carini
M
Resolved Failed to start The Apache HTTP Server: SELinux impedisce a /usr/sbin/httpd un accesso open su file /var/log/modsec_audit.log. -- SOLVED --
Replies
0
Views
2K
mmcomputers
M
tkalfaoglu
Resolved How to stop all these audit messages?
Replies
1
Views
3K
tkalfaoglu
tkalfaoglu
Nicola Urbinati
Issue Problem starting services after update and restart
Replies
0
Views
1K
Nicola Urbinati
Nicola Urbinati
Back
Top