named doesn't work with selinux

Support for security such as Firewalls and securing linux
nharmando
Posts: 5
Joined: 2017/11/10 23:48:29

named doesn't work with selinux

Postby nharmando » 2017/11/10 23:57:58

Hello friends,

I'm congigurating an active directory with samba4, bind9 and kerberos, but when I try to start the DNS, I get the following error:

Code: Select all

[root@resources tmp]# systemctl status named
 named.service - Berkeley Internet Name Domain (DNS)                                                                                                                                                                                                                         
   Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)                                                                                                                                                                                   
   Active: failed (Result: exit-code) since vie 2017-11-10 17:23:45 CST; 14s ago                                                                                                                                                                                               
  Process: 1984 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)                                                                                                                                           
  Process: 19835 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=1/FAILURE)                                                                                                                                                                   
  Process: 19832 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)                                                     
 Main PID: 1951 (code=exited, status=0/SUCCESS)                                                                                                                                                                                                                               
                                                                                                                                                                                                                                                                               
nov 10 17:23:45 resources.iseade-fepade.cc named[19838]: samba_dlz: Failed to connect to /usr/local/samba/private/dns/sam.ldb                                                                                                                                                 
nov 10 17:23:45 resources.iseade-fepade.cc named[19838]: dlz_dlopen of 'AD DNS Zone' failed                                                                                                                                                                                   
nov 10 17:23:45 resources.iseade-fepade.cc named[19838]: SDLZ driver failed to load.                                                                                                                                                                                           
nov 10 17:23:45 resources.iseade-fepade.cc named[19838]: DLZ driver failed to load.                                                                                                                                                                                           
nov 10 17:23:45 resources.iseade-fepade.cc named[19838]: loading configuration: failure                                                                                                                                                                                       
nov 10 17:23:45 resources.iseade-fepade.cc named[19838]: exiting (due to fatal error)                                                                                                                                                                                         
nov 10 17:23:45 resources.iseade-fepade.cc systemd[1]: named.service: control process exited, code=exited status=1                                                                                                                                                             
nov 10 17:23:45 resources.iseade-fepade.cc systemd[1]: Failed to start Berkeley Internet Name Domain (DNS).                                                                                                                                                                   
nov 10 17:23:45 resources.iseade-fepade.cc systemd[1]: Unit named.service entered failed state.                                                                                                                                                                               
nov 10 17:23:45 resources.iseade-fepade.cc systemd[1]: named.service failed.                                                                                                                                                                                                   
[root@resources tmp]# setsebool -P named_write_master_zones=1
[root@resources tmp]# service named start
Redirecting to /bin/systemctl start named.service
Job for named.service failed because the control process exited with error code. See "systemctl status named.service" and "journalctl -xe" for details.
[root@resources tmp]#


When I set setenforce 0, the named service works, but when I set setenforce 1 I get the previous error, so it is a permission about SeLinux.

I get the information here: https://imanudin.net/2014/11/17/how-to- ... s-7-part-2

Could you please help me that? what would be the righ permission and owner to fixt it?

I've tried with:

Code: Select all

chown named.named /usr/local/samba/private/dns
chown named.named /usr/local/samba/private/dns/sam.ldb
chown named.named /usr/local/samba/private/dns/sam.ldb.d/
chown named.named /usr/local/samba/private/dns/sam.ldb.d/*

User avatar
TrevorH
Forum Moderator
Posts: 21018
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: named doesn't work with selinux

Postby TrevorH » 2017/11/11 00:03:44

Wrong location: try using /var/lib not /usr/local.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

nharmando
Posts: 5
Joined: 2017/11/10 23:48:29

Re: named doesn't work with selinux

Postby nharmando » 2017/11/11 04:50:15

Thank you for your reply but I have a dout, why when I set setenforce 0 everithing is right the named service works well and when I set setenforce 1 I can't start the named service, acording to my first post the error is:

Code: Select all

samba_dlz: Failed to connect to /usr/local/samba/private/dns/sam.ldb


I think is because is a kind of permission about SeLinux but I don't know.

What can I do?

scottro
Forum Moderator
Posts: 2329
Joined: 2007/09/03 21:18:09
Location: NYC
Contact:

Re: named doesn't work with selinux

Postby scottro » 2017/11/11 10:55:03

https://wiki.centos.org/HowTos/SELinux has a nice section in troubleshooting about how you can see what the problem is and write a custom policy if necessary. (It's very easy, just do a search for audit2allow on the page).
New users should check the FAQ and Read Me First pages

User avatar
TrevorH
Forum Moderator
Posts: 21018
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: named doesn't work with selinux

Postby TrevorH » 2017/11/11 11:32:52

Because seliinux knows about /var/lib/samba/private being a location where named should be allowed to write. Nothing in CentOS uses /usr/local.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

hunter86_bg
Posts: 765
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: named doesn't work with selinux

Postby hunter86_bg » 2017/11/11 21:15:28

When you need help with SELinux, I think that most invaluable tool available is 'sealert'.

nharmando
Posts: 5
Joined: 2017/11/10 23:48:29

Re: named doesn't work with selinux

Postby nharmando » 2017/11/14 00:46:51

Tkank you so much for everything,

sealert is amazing, I did it, when I tried to start named it got me an error but after that I run:

Code: Select all

setsebool -P named_write_master_zones 1


Another try and another error message but with sealert I could find the solution with the next command:

Code: Select all

ausearch -c 'named' --raw | audit2allow -M samba4
semodule -i samba4.pp


It's work!!

I'll change the path as Trevor H says

You are amazing guys