DHCPD updating BIND on SUSE

Richard01 · 05-17-2007, 03:22 PM

hi all, im trying to get dynamic updated to work. i have read other forums and howtos, but still run in to the same problem:

May 17 21:07:27 Server1 named[10588]: client 10.1.2.2#32881: updating zone 'domain/IN': adding an RR at 'computer.domain' A
May 17 21:07:27 Server1 named[10588]: client 10.1.2.2#32881: updating zone 'domain/IN': adding an RR at 'computer.domain' TXT
May 17 21:07:27 Server1 named[10588]: journal file master/domainX.jnl does not exist, creating it
May 17 21:07:27 Server1 named[10588]: master/domainX.jnl: create: permission denied
May 17 21:07:27 Server1 named[10588]: client 10.1.2.2#32881: updating zone 'domain/IN': error: journal open failed: unexpected error
May 17 21:07:27 Server1 dhcpd: Unable to add forward map from computer.domain. to 10.1.2.32: timed out

it looks like a permissions issue, but i have tried
chown -R named named
chgrp -R named named
and
chmod -R 777 named

but I still get the same error in the log.

Any help would be much appreciated.

thanks

Richard.

JimBass · 05-17-2007, 06:29 PM

That is frequently a problem found in Redhat versions of linux with SElinux enabled. Here is a quote about it:

Quote:

here is the Q and A
*Q:*

I'm running BIND on Red Hat Enterprise Linux or Fedora Core -

Why can't named update slave zone database files?

Why can't named create DDNS journal files or update the master zones
from journals?

Why can't named create custom log files?

*A:*

Red Hat Security Enhanced Linux (SELinux) policy security protections :

Red Hat have adopted the National Security Agency's SELinux security
policy ( see http://www.nsa.gov/selinux ) and recommendations for BIND
security , which are more secure than running named in a chroot and make
use of the bind-chroot environment unecessary .

By default, named is not allowed by the SELinux policy to write, create
or delete any files EXCEPT in these directories:

$ROOTDIR/var/named/slaves
$ROOTDIR/var/named/data
$ROOTDIR/var/tmp

where $ROOTDIR may be set in /etc/sysconfig/named if bind-chroot is
installed.

The SELinux policy particularly does NOT allow named to modify the
$ROOTDIR/var/named directory, the default location for master zone
database files.

SELinux policy overrules file access permissions - so even if all the
files under /var/named have ownership named:named and mode rw-rw-r--,
named will still not be able to write or create files except in the
directories above, with SELinux in Enforcing mode.

So, to allow named to update slave or DDNS zone files, it is best to
locate them in $ROOTDIR/var/named/slaves, with named.conf zone
statements such as:

zone "slave.zone." IN {
type slave;
file "slaves/slave.zone.db";
...
};
zone "ddns.zone." IN {
type master;
allow-updates {...};
file "slaves/ddns.zone.db";
};

To allow named to create its cache dump and statistics files, for
example, you could use named.conf options statements such as:

options {
...
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
...
};

You can also tell SELinux to allow named to update any zone database
files, by setting the SELinux tunable boolean parameter
'named_write_master_zones=1', using the system-config-securitylevel GUI,
using the 'setsebool' command, or in /etc/selinux/targeted/booleans.

You can disable SELinux protection for named entirely by setting the
'named_disable_trans=1' SELinux tunable boolean parameter.

The SELinux named policy defines these SELinux contexts for named:

named_zone_t : for zone database files - $ROOTDIR/var/named/*
named_conf_t : for named configuration files - $ROOTDIR/etc/{named,rndc}.*
named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,data}}

If you want to retain use of the SELinux policy for named, and put named
files in different locations, you can do so by changing the context of
the custom file locations .

To create a custom configuration file location, eg. '/root/named.conf',
to use with the 'named -c' option, do:

# chcon system_u:object_r:named_conf_t /root/named.conf

To create a custom modifiable named data location, eg. '/var/log/named'
for a log file, do:

# chcon system_u:object_r:named_cache_t /var/log/named

To create a custom zone file location, eg. /root/zones/, do:

# chcon system_u:object_r:named_zone_t /root/zones/{.,*}

I found that writeup at http://forums.fedoraforum.org/showthread.php?t=119222

You should put your distro in your profile, so we know what you're running. It seems like it is Redhat, Fedora, CentOS or one of those, but that is just a guess as you didn't tell us.

Peace,
JimBass

Richard01 · 05-20-2007, 08:02 AM

Hi, thanks for that. Im running Suse 10.1 (have updated profile now). I did give it a try (moving my zone files to var/named/slaves, but it had no effect. Have you get any other suggestions?

Thanks in advance

Richard

JimBass · 05-20-2007, 10:09 AM

Once you create the zone files in the new directory, you're not quite done. You need to change the named.conf file, telling it that the zone should now be in /var/named/slaves, you have to have the zone in /var/named/slaves, and you need to restart the BIND process. I suspect that all of that didn't happen.

Peace,
JimBass

Richard01 · 05-21-2007, 01:09 PM

Hi Jim, I have done all that, but my directory is not /var/named/slaves, its /var/lib/named/var/named/slaves, because named is running chrooted. Anyway, its still not happy.

Thanks for all your help so far.

Richard.

JimBass · 05-21-2007, 10:19 PM

It could be that when you restarted named, the old version didn't die. Please stop named and check that it is dead, (try "ps aux | grep named"), then start it up. Alos, please post both the part of your named.conf file that deals with the zone in question, and also post the results of "ls -al" in /var/lib/named/var/named/slaves.

Peace,
JimBass