Named in slave mode not able to create zone files.

jfmays · 04-08-2013, 01:55 PM

Running RHEL 6.1 named. Have BIND running in primary mode on one server, and slave mode on the other. The slave version gets the zones from the primary version, but it is not capable of creating the slave files. So it works, but I'm aware that if the secondary ever rebooted while the primary was down, neither would work.

I believe I had the persmissions correct on the directories, but I even went beyond that and changed /var, /var/named and everything under /var/named to 777 permissions. In /etc/sysconfig/named I have set --

ENABLE_ZONE_WRITE=yes
named_write_master_zones=yes

Still get the following error --

Code:

Apr  8 12:18:14 postgres-02 named[6248]: dumping master file: /var/named/slaves/tmp-6QzqbnrkFm: open: permission denied
Apr  8 12:18:14 postgres-02 kernel: type=1400 audit(1365441494.693:264460): avc:  denied  { write } for  pid=6251 comm="named" name="slaves" dev=dm-0 ino=131232 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir
Apr  8 12:18:14 postgres-02 named[6248]: dumping master file: /var/named/slaves/tmp-R9d4zgBXzF: open: permission denied
Apr  8 12:18:14 postgres-02 kernel: type=1400 audit(1365441494.703:264461): avc:  denied  { write } for  pid=6251 comm="named" name="slaves" dev=dm-0 ino=131232 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir

What am I overlooking?

bathory · 04-09-2013, 02:01 AM

Hi,

This is a SELinux problem.
Have a look here for help

Regards

jpollard · 04-10-2013, 04:48 PM

Check the labeling of /var/named/slaves, and be sure that named can write to it. Unfortunately, I don't know what the label should be...

chrism01 · 04-10-2013, 08:42 PM

Normally in RHEL I'd expect it to be chrooted http://www.linuxtopia.org/online_boo...5_ch-bind.html

jpollard · 04-11-2013, 05:52 AM

I know it is planned (if not already done). The defaults I have are:

Code:

# cd /var/named
# ls -lZ
drwxr-x---. root  named system_u:object_r:named_conf_t:s0 chroot
drwxrwx---. named named system_u:object_r:named_cache_t:s0 data
drwxrwx---. named named system_u:object_r:named_cache_t:s0 dynamic
-rw-r-----. root  named system_u:object_r:named_conf_t:s0 named.ca
-rw-r-----. root  named system_u:object_r:named_zone_t:s0 named.empty
-rw-r-----. root  named system_u:object_r:named_zone_t:s0 named.localhost
-rw-r-----. root  named system_u:object_r:named_zone_t:s0 named.loopback
drwxrwx---. named named system_u:object_r:named_cache_t:s0 slaves

The CentOS 6 VM I have uses the same, so it does have MAC labels. I don't have bind configured in the VM, so I don't know if there are any more labels needed for slave servers.