[SELinux] Problem with Bind 9

Anibal · January 1, 2013, 7:39pm

Hi, I can not start named service:

/etc/init.d/named start
Iniciando named: 
Error in named configuration:
zone default.domain/IN: loading from master file /home/admin/conf/dns/default.domain.db failed: permission denied
zone default.domain/IN: not loaded due to errors.
_default/default.domain/IN: permission denied

If change selinux to permissive mode (setenforce 0) => named start.

Ok, then see denials:

# sealert -a /var/log/audit/audit.log
SELinux is preventing /usr/sbin/named-checkconf from read access on the archivo default.domain.db.

# ausearch -m avc -c named
----
time->Tue Jan  1 20:18:15 2013
type=SYSCALL msg=audit(1357082295.592:26312): arch=c000003e syscall=2 success=yes exit=3 a0=7fa1e3d1f018 
a1=0 a2=1b6 a3=0 items=0 ppid=6128 pid=6133 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 
ses=1 comm="named-checkconf" exe="/usr/sbin/named-checkconf" subj=unconfined_u:system_r:named_t:s0 key=(null)
type=AVC msg=audit(1357082295.592:26312): avc:  denied  { open } for  pid=6133 comm="named-checkconf" name="default.domain.db" 
dev=dm-0 ino=8615 scontext=unconfined_u:system_r:named_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1357082295.592:26312): avc:  denied  { read } for  pid=6133 comm="named-checkconf" name="default.domain.db" 
dev=dm-0 ino=8615 scontext=unconfined_u:system_r:named_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file

Then switch contexts:

# semanage fcontext -a -t named_zone_t '/home/admin/conf/dns(/.*)?'
# restorecon -F -R -v /home/admin/conf
# ls -dZ /home/admin/conf/dns/
drwxr-x--x. root root system_u:object_r:named_zone_t:s0 /home/admin/conf/dns/
# ls -Z /home/admin/conf/dns/
-rw-r-----. root named system_u:object_r:named_zone_t:s0 
# setenforce 1

But the problem is the same

The funny thing is that if I change to permissive mode and do:

# sealert -a /var/log/audit/audit.log  
100% donefound 0 alerts in /var/log/audit/audit.log 
# ausearch-m avc-c named 
<not matches>

What is the problem?

---------- Post updated at 07:39 PM ---------- Previous update was at 06:38 PM ----------

Ok, the problem was the context type of directory that contains /dns. The proper context must be var_t:
Test 1:
chcon -t var_t /home/admin/conf
named not start
Test 2:
chcon -t var_t /home/admin
named not start
Test 3:
chcon -t var_t /home
named start!!

Conclusion:
Zone database files must be located in the var directory, so that SELinux allows access.

fpmurphy · January 2, 2013, 10:15am

Something else is wrong. You can store zone databases in locations other than /var. What distribution and version are you using?

Anibal · January 2, 2013, 1:28pm

, rhel 6 (x86_64)