I'm trying to setup bind 9.7 in centos 6 and I want to enable statistics-channel so I can remotely get statistics information.
The problem is that this feature cannot function with selinux enabled. In my logs I get "couldn't allocate statistics channel 192.168.0.56#18073: permission denied" (18073 is the port number).
When I disable selinux it is working fine.
Is there anything I could do without disabling selinux?
[RESOLVED] Problem with bind statistics-channel
-
- Posts: 16
- Joined: 2011/08/01 18:53:57
- Contact:
Re: Problem with bind statistics-channel
The problem with using the statistics-channel port that you have selected is that SELinux does not have policy to allow named to bind to this port.
The issue can be resolved with SELinux still in an enforcing mode by adding the port that you want to use to the SELinux policy with this command:
semanage port -a -t dns_port_t -p tcp 18073
The issue can be resolved with SELinux still in an enforcing mode by adding the port that you want to use to the SELinux policy with this command:
semanage port -a -t dns_port_t -p tcp 18073
[RESOLVED] Problem with bind statistics-channel
Do you still symlink /var/named/chroot/etc/named.conf /etc/named.conf ?
There are new directories in /var/named/chroot/etc ect...
any help/advice would be great
There are new directories in /var/named/chroot/etc ect...
any help/advice would be great
[RESOLVED] Re: Problem with bind statistics-channel
[quote]
keithwright wrote:
The problem with using the statistics-channel port that you have selected is that SELinux does not have policy to allow named to bind to this port.
The issue can be resolved with SELinux still in an enforcing mode by adding the port that you want to use to the SELinux policy with this command:
semanage port -a -t dns_port_t -p tcp 18073[/quote]
Thank you, problem solved! :-)
[quote]
Do you still symlink /var/named/chroot/etc/named.conf /etc/named.conf ?
There are new directories in /var/named/chroot/etc ect...[/quote]
I didn't make any links and there aren't any links. I understand tha bind chrooting in centos 6 is done using mounts and it is different than in centos5:
[code]
[root@ns1:~]# mount | grep bind
/etc/named on /var/named/chroot/etc/named type none (rw,bind)
/var/named on /var/named/chroot/var/named type none (rw,bind)
/etc/named.conf on /var/named/chroot/etc/named.conf type none (rw,bind)
/etc/named.rfc1912.zones on /var/named/chroot/etc/named.rfc1912.zones type none (rw,bind)
/etc/rndc.key on /var/named/chroot/etc/rndc.key type none (rw,bind)
/usr/lib64/bind on /var/named/chroot/usr/lib64/bind type none (rw,bind)
/etc/named.iscdlv.key on /var/named/chroot/etc/named.iscdlv.key type none (rw,bind)
[/code]
keithwright wrote:
The problem with using the statistics-channel port that you have selected is that SELinux does not have policy to allow named to bind to this port.
The issue can be resolved with SELinux still in an enforcing mode by adding the port that you want to use to the SELinux policy with this command:
semanage port -a -t dns_port_t -p tcp 18073[/quote]
Thank you, problem solved! :-)
[quote]
Do you still symlink /var/named/chroot/etc/named.conf /etc/named.conf ?
There are new directories in /var/named/chroot/etc ect...[/quote]
I didn't make any links and there aren't any links. I understand tha bind chrooting in centos 6 is done using mounts and it is different than in centos5:
[code]
[root@ns1:~]# mount | grep bind
/etc/named on /var/named/chroot/etc/named type none (rw,bind)
/var/named on /var/named/chroot/var/named type none (rw,bind)
/etc/named.conf on /var/named/chroot/etc/named.conf type none (rw,bind)
/etc/named.rfc1912.zones on /var/named/chroot/etc/named.rfc1912.zones type none (rw,bind)
/etc/rndc.key on /var/named/chroot/etc/rndc.key type none (rw,bind)
/usr/lib64/bind on /var/named/chroot/usr/lib64/bind type none (rw,bind)
/etc/named.iscdlv.key on /var/named/chroot/etc/named.iscdlv.key type none (rw,bind)
[/code]
- AlanBartlett
- Forum Moderator
- Posts: 9345
- Joined: 2007/10/22 11:30:09
- Location: ~/Earth/UK/England/Suffolk
- Contact:
Re: [RESOLVED] Re: Problem with bind statistics-channel
Thank you for reporting back.
For posterity, and on your behalf, this thread is marked [RESOLVED].
For posterity, and on your behalf, this thread is marked [RESOLVED].