SElinux and DNS

paleogryph · 11-09-2005, 11:44 AM

FC3, fully patched.

Apparently during install I elected to install and run SElinux. Well, after configuring it the way I wanted, for use as web, dns and mail server, I noticed it was more difficult to set things up. I couldn't figure out why. Then I looked in /var/log/messages and saw all the selinux audit entries. It starts in permissive mode (as per messages), even though in the /etc/selinux/config file it shows:

SELINUX=enforcing
SELINUXTYPE=targeted

Anyway, I can't get DNS to work because my custom zone files won't load, "permission denied", which show the kernel :audit failure. I'm using bind-chroot 9.2.5, and the default zone files that came with the package load fine...

What I don't understand is that all the zone files have the same perms and ownership by named.

Whats the deal with SElinux blocking my custom zone files?

unSpawn · 11-09-2005, 01:33 PM

IIGC you could try using audit2allow (policycoreutils rpm), it can unfsck SELinux warnings to directives to add to your policy.
Alternatively (or should that be the first action?) read "man 8 bind" under notes where it explains the "Red Hat SELinux BIND Security Profile" and how to work with named_write.* . If that doesn't work you can disable (not advisable) SELinux for BIND: setsebool -P named_disable_trans 1 . If that doesn't work you'll have to be more verbose in your errorlog posting.

paleogryph · 11-09-2005, 06:04 PM

Ok, I just changed the SElinux config file to "disabled", rebooted and now all the zone files work fine.
Now have a different problem:

When configure an XP SP2 box (with or without FW running) to use the FC3 as DNS, can't resolve anything, gets error:

"DNS request timed out.
timeout was 2 seconds.
*** Can't find server name for address 10.11.0.3: Timed out
*** Default servers are not available
Server: UnKnown
Address: 10.11.0.3

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out"

If XP is set to use ISP DNS, works no problem.

Named.conf uses internal and external "view" sections with different sets of zone files, depending on whether dns queries come from internal nat'd or external nets.

Host/ping commands on server works for any hosts in zone files, and any external domains/ip's. All resolution is via named, not /etc/hosts.

Iptables blocks all except 21,53,80,443.

Ps shows "/usr/sbin/named -u named -t /var/named/chroot".

/var/log/messages shows named start and load all the zone files with no errors.

Netstat -an shows 127.0.0.1 and 10.11.0.3 listening on port 53.

Nmap scan of the FC3 dns server from the XP box shows port 53 open.

I imagine it's got to be something obvious in my named.conf file, but I can't figure out what it is. Here is the file:

//
// named.conf for Red Hat caching-nameserver
//

options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};

controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};

view "internal" {
match-clients { localnets; localhost; };

zone "." IN {
type hint;
file "named.ca";
};

zone "localdomain" IN {
type master;
file "localdomain.zone";
allow-update { none; };
};

zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.ip6.local";
allow-update { none; };
};

zone "255.in-addr.arpa" IN {
type master;
file "named.broadcast";
allow-update { none; };
};

zone "0.in-addr.arpa" IN {
type master;
file "named.zero";
allow-update { none; };
};

zone "0.11.10.in-addr.arpa" IN {
type master;
file "10.11.0.zone";
allow-update { none; };
};

zone "domain.net" {
type master;
notify no;
file "domain.home.zone";
allow-query { any; };
};
};

view "external" {
match-clients { any; };
recursion no;

zone "domain.net" {
type master;
notify no;
allow-query { any; };
file "domain.zone";
};

zone "0.11.10.in-addr.arpa" {
type master;
notify no;
file "10.11.0.zone";
};
};

logging {
category lame-servers { null; };
};

include "/etc/rndc.key";

unSpawn · 11-09-2005, 07:10 PM

Crossposted here: thread closed (read the LQ rules). BTW, your last q is about Wintendo. This is the Linux Security Forum.