BIND 9 Permission denied when chmod is 777 o_O

KasperLotus · 08-30-2005, 10:15 PM

Hi,
I've been fiddling with this for 2 days now and I still can't get it to work. I have all the directories up to my pid file chmoded to 755 (and I've tried it with all of them 777) and they are all owned by named and I know BIND is running as named but it still says "cannot open file ".../named.pid" : Permission denied".

Now here's the really weird part, when I run "named -u named -t /var/named/chroot -g" everything works fine, but when I run "service named start" it fails and it says Permission denied. o_O weird huh? Any ideas?

Thanks,
Brandon

aznluvsmc · 08-30-2005, 11:58 PM

Is your named process chrooted? If so, you may not following the correct path to the named.pid file. What distro are you using?

KasperLotus · 08-31-2005, 12:04 AM

My bind is chrooted and the path I have to the named.pid file is (absolute path) /var/named/chroot/var/run/named.pid I've tried many other paths and they all give the same error. I'm running Fedora Core 4.

EDIT: Another problem I just rememberd, whenever I run it in the foreground, it should still technically be running. If I make changes to the domains I am DNSing then it should update them when I restart right? I originally configured the domains with the wrong IPs so now that I've fixed it and I run it in the foreground, shouldn't a "host" command retrieve the updates instead?

EDIT2: Experimenting with dig, I discovered that my nameserver finally updated and nslookup and host said the same, but now it says that the connection was refused when I try to go to www.unnaturalfusion.com. My firewall and router are setup correctly, any ideas?

scowles · 08-31-2005, 04:40 AM

Are you talking about the dig query was refused? i.e. status REFUSED

Code:

;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 46206
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

If thats the case, then I'd be willing to bet you have accidentally configured bind to refuse queries outside its authoritative zones (I can't tell from your post).

A couple of things to check:

1) Is recursion on?
2) What is the setting for "allow-query" either globally or within the zone statements?

KasperLotus · 08-31-2005, 10:51 AM

How do I set and check recursion? And the dig connection wasn't refused, a firefox connection was refused.

Darvocet · 08-31-2005, 09:48 PM

Quote:

Originally posted by KasperLotus
How do I set and check recursion? And the dig connection wasn't refused, a firefox connection was refused.

Usually recursion is on by default, however you can double check it by setting the

recursion on;

in the named.conf. Recursion needs to be on for local dns or for the machine to cache answers in my experience.

aznluvsmc · 09-04-2005, 10:27 PM

If you were refused trying to access a website then it's most likely an setting on the web server. Double check the settings if it's your own server or contact the admin of that server to find out about the issue.

Fredstar · 09-05-2005, 12:54 AM

One answer chcon

for your name server.

the problem is that although named starts off as root it is still denied when it tryes to write the pid file. this is because it does not, by default, have the correct setup for the directory (this problem is that same with apache and other system run processes)

fixing this

cd /var/run/
ls -Z

should return

## I have the chmod high because i was stumped by the permisson denied, this will change

Code:

drwxrwxr-x  named    named    system_u:object_r:named_var_run_t named

However, the important part is system_u (the user) and named_var_run_t (the type) if this is not what you see the following should fix this.

Code:

chcon -u system_u -t named_var_run_t /var/run/named/

next restart bind with user named

Code:

named -u named

To make sure all went well its always good to check /var/log/messages incase something went wrong with start up or zonefiles.

for apache (2) -

basically the same thing only difference is the -t (type)

//this must be set for all directory's you wish to have apache webserver access

Code:

chcon -Rt httpd_sys_content_t /your/DocumentRoot/

just to check and make sure everything works ok

Code:

chcon -Z

should return

Code:

drwxr-xr-x  your_user     its_group system_u:object_r:httpd_sys_content_t YOUR-DOCUMENT-ROOT

Note that if the user is not system_u then you should change it , and all sub-direcotrys with

Code:

chcon -Ru system_u /your/DocumentRoot

hope this helps!!

edited to disable smiles

KasperLotus · 09-05-2005, 07:40 PM

After the chcon command on several directories which were problematic, I ran "service named start" and got this error in the log file. It failed to start.

audit(1125967391.931:21): avc: denied { write } for pid=2967 comm="named" name=named dev=hda1 ino=613281 scontext=root:system_r:named_t tcontext=system_u:object_r:named_zone_t tclass=dir

Apparently, root is still the user, but when I run ls -Z it appears that system_u is the user....o_O

edited to disable smilies

Fredstar · 09-06-2005, 09:16 PM

Odd..

Did you make sure to set the type correctly?

Cause that was the big problem mine had when it wasn't running.

KasperLotus · 09-07-2005, 12:20 AM

Yeah, I made sure of that. I actually got it working by turning off the SELinux protection for the name server daemon and voila, it ran without an error. Thanks for all your help though.

Cheers.