centos 6.2 bind slaves permission denied

wclune · Post by **wclune** » 2012/01/06 04:58:28

Hi all, I have replaced a dead dns slave server, with a fresh install centos 6.2 bind version that shipped with it.
my setup included
Webmin 1.570 used for managing
bind 9.7.3-8.P3.el6_2.1
bind-chroot 9.7.3-8.P3.el6_2.1
bind-libs 9.7.3-8.P3.el6_2.1
bind-utils 9.7.3-8.P3.el6_2.1

opening needed ports in firewall
port 53 tcp and udp

disabling recursion -- this is to be an authoritative slave only.

creating rndc key via the webmin interface

once i create the slaves on the new server via webmin it wont actually write the data to disk. i get a few errors in logs that seem to be related to file permissions but I am not be a true unix head so i cant be sure.
it does create empty files in /var/named/chroot/var/named/slaves
error recorded in the messages log.
ns1 named[8126]: zone mydomain.org/IN: refresh: could not set file modification time of '/var/named/slaves/mydomain.org.hosts': permission denied
I have tried on another system a fedora 5 machine and it pulls the files down without issue.

Post by **TrevorH** » 2012/01/06 09:13:13

Try

[code]
setsebool -P named_write_master_zones 1
[/code]

wclune · Post by **wclune** » 2012/01/07 01:15:56

that does not seem to have done anything thanks for the suggestion. I grabbed another pc and installed cent 6.2 same issue bug???

Post by **TrevorH** » 2012/01/07 01:32:07

Look in /var/log/messages and see if you have any SElinux denial messages. Also post the output from

[code]
ls -laZ /var/named/slaves/mydomain.org.hosts
ls -laZ /var/named/chroot/var/named/slaves/mydomain.org.hosts
[/code]

wclune · Post by **wclune** » 2012/01/07 02:30:06

there was nothing from selinux in that folder I dont believe it is installed by default any longer and frankly i would have removed it.

outputs

[root@ns1 slaves]# ls -laZ /var/named/slaves/
drwxrwx---. named named system_u:object_r:named_cache_t:s0 .
drwxr-x---. root named system_u:object_r:named_zone_t:s0 ..

[root@ns1 slaves]# ls -laZ /var/named/chroot/var/named/slaves/
drwxrwx---. named named unconfined_u:object_r:named_zone_t:s0 .
drwxr-x---. root named system_u:object_r:named_zone_t:s0 ..
-rwxrwx---. named named system_u:object_r:named_zone_t:s0 mydomain.com.hosts
-rwxrwx---. named named system_u:object_r:named_zone_t:s0 mydomain.com.hosts
-rwxrwx---. named named system_u:object_r:named_zone_t:s0 mydomain.com.hosts
-rwxrwx---. named named system_u:object_r:named_zone_t:s0 mydomain.com.hosts
-rwxrwx---. named named system_u:object_r:named_zone_t:s0 mydomain.com.hosts
-rwxrwx---. named named system_u:object_r:named_zone_t:s0 mydomain.com.hosts
-rwxrwx---. named named system_u:object_r:named_zone_t:s0 mydomain.com.hosts
-rwxrwx---. named named system_u:object_r:named_zone_t:s0 mydomain.com.hosts
-rwxrwx---. named named system_u:object_r:named_zone_t:s0 mydomain.com.hosts
-rwxrwx---. named named system_u:object_r:named_zone_t:s0 mydomain.com.hosts
-rw-rw----. named named system_u:object_r:named_zone_t:s0 mydomain.com.hosts
-rwxrwx---. named named system_u:object_r:named_zone_t:s0 mydomain.com.hosts
-rwxrwx---. named named system_u:object_r:named_zone_t:s0 mydomain.com.hosts
-rwxrwx---. named named system_u:object_r:named_zone_t:s0 mydomain.com.hosts

I think this is what you were looking for

Thanks in Advance!

wclune · Post by **wclune** » 2012/01/07 03:05:16

to my incredible surprise selinux was enabled. it is not now I shall see after a reboot.

pschaff · Post by **pschaff** » 2012/01/07 03:24:00

That should not be a surprise. Having SELinux installed and enabled is, and should be, the normal state of affairs. Why forgo one of the major features of an Enterprise Linux distribution?

Post by **TrevorH** » 2012/01/07 03:29:05

I really recommend that you leave it enabled - it's no longer the beast that it used to be and offers a significant increase in security. If you want to test if it is the problem or not then you can run `setenforce 0` to put it into permissive mode on the fly.

Did you edit the output of the second ls -laZ - all the files there appear to be called the same thing which actually makes debugging incredibly difficult! There is one in that list that has different permissions to all the others - is the real name of that the same as the real message in your logs?

[quote]
-rw-rw----. named named system_u:object_r:named_zone_t:s0 mydomain.com.hosts
[/quote]

wclune · Post by **wclune** » 2012/01/07 04:38:23

that one record was a bit different from me trying things.
so I started over uninstall bind all of it. delete the directory's and re install. this way i am sure i didn't fuzt it up.

selinux permissive I know but it has been a pain in the past.

output

[root@ns1 slaves]# ls -laZ /var/named/chroot/var/named/slaves/
drwxr-xr-x. root root system_u:object_r:named_zone_t:s0 .
drwxr-x---. root named system_u:object_r:named_zone_t:s0 ..
-rw-r--r--. root root system_u:object_r:named_zone_t:s0 ldrs31.org.hosts

thanks again for your efforts.

Post by **TrevorH** » 2012/01/07 04:58:46

OK, now the permissions are just wrong :-)

[quote]
-rw-r--r--. root root system_u:object_r:named_zone_t:s0 ldrs31.org.hosts
[/quote]

This should probably be owned by named:named as should the /var/named/chroot/var/named/slaves/ directory.

CentOS