centos 6.2 bind slaves permission denied

Issues related to configuring your network

centos 6.2 bind slaves permission denied

Postby wclune » 2012/01/06 04:58:28

Hi all, I have replaced a dead dns slave server, with a fresh install centos 6.2 bind version that shipped with it.
my setup included
Webmin 1.570 used for managing
bind 9.7.3-8.P3.el6_2.1
bind-chroot 9.7.3-8.P3.el6_2.1
bind-libs 9.7.3-8.P3.el6_2.1
bind-utils 9.7.3-8.P3.el6_2.1

opening needed ports in firewall
port 53 tcp and udp

disabling recursion -- this is to be an authoritative slave only.

creating rndc key via the webmin interface

once i create the slaves on the new server via webmin it wont actually write the data to disk. i get a few errors in logs that seem to be related to file permissions but I am not be a true unix head so i cant be sure.
it does create empty files in /var/named/chroot/var/named/slaves
error recorded in the messages log.
ns1 named[8126]: zone mydomain.org/IN: refresh: could not set file modification time of '/var/named/slaves/mydomain.org.hosts': permission denied
I have tried on another system a fedora 5 machine and it pulls the files down without issue.
wclune
 
Posts: 6
Joined: 2012/01/06 01:01:05

Re: centos 6.2 bind slaves permission denied

Postby TrevorH » 2012/01/06 09:13:13

Try

Code: Select all
setsebool -P named_write_master_zones 1
User avatar
TrevorH
Forum Moderator
 
Posts: 9167
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: centos 6.2 bind slaves permission denied

Postby wclune » 2012/01/07 01:15:56

that does not seem to have done anything thanks for the suggestion. I grabbed another pc and installed cent 6.2 same issue bug???
wclune
 
Posts: 6
Joined: 2012/01/06 01:01:05

Re: centos 6.2 bind slaves permission denied

Postby TrevorH » 2012/01/07 01:32:07

Look in /var/log/messages and see if you have any SElinux denial messages. Also post the output from

Code: Select all
ls -laZ /var/named/slaves/mydomain.org.hosts
ls -laZ /var/named/chroot/var/named/slaves/mydomain.org.hosts
User avatar
TrevorH
Forum Moderator
 
Posts: 9167
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: centos 6.2 bind slaves permission denied

Postby wclune » 2012/01/07 02:30:06

there was nothing from selinux in that folder I dont believe it is installed by default any longer and frankly i would have removed it.

outputs

[root@ns1 slaves]# ls -laZ /var/named/slaves/
drwxrwx---. named named system_u:object_r:named_cache_t:s0 .
drwxr-x---. root named system_u:object_r:named_zone_t:s0 ..


[root@ns1 slaves]# ls -laZ /var/named/chroot/var/named/slaves/
drwxrwx---. named named unconfined_u:object_r:named_zone_t:s0 .
drwxr-x---. root named system_u:object_r:named_zone_t:s0 ..
-rwxrwx---. named named system_u:object_r:named_zone_t:s0 mydomain.com.hosts
-rwxrwx---. named named system_u:object_r:named_zone_t:s0 mydomain.com.hosts
-rwxrwx---. named named system_u:object_r:named_zone_t:s0 mydomain.com.hosts
-rwxrwx---. named named system_u:object_r:named_zone_t:s0 mydomain.com.hosts
-rwxrwx---. named named system_u:object_r:named_zone_t:s0 mydomain.com.hosts
-rwxrwx---. named named system_u:object_r:named_zone_t:s0 mydomain.com.hosts
-rwxrwx---. named named system_u:object_r:named_zone_t:s0 mydomain.com.hosts
-rwxrwx---. named named system_u:object_r:named_zone_t:s0 mydomain.com.hosts
-rwxrwx---. named named system_u:object_r:named_zone_t:s0 mydomain.com.hosts
-rwxrwx---. named named system_u:object_r:named_zone_t:s0 mydomain.com.hosts
-rw-rw----. named named system_u:object_r:named_zone_t:s0 mydomain.com.hosts
-rwxrwx---. named named system_u:object_r:named_zone_t:s0 mydomain.com.hosts
-rwxrwx---. named named system_u:object_r:named_zone_t:s0 mydomain.com.hosts
-rwxrwx---. named named system_u:object_r:named_zone_t:s0 mydomain.com.hosts

I think this is what you were looking for

Thanks in Advance!
wclune
 
Posts: 6
Joined: 2012/01/06 01:01:05

Re: centos 6.2 bind slaves permission denied

Postby wclune » 2012/01/07 03:05:16

to my incredible surprise selinux was enabled. it is not now I shall see after a reboot.
wclune
 
Posts: 6
Joined: 2012/01/06 01:01:05

centos 6.2 bind slaves permission denied

Postby pschaff » 2012/01/07 03:24:00

That should not be a surprise. Having SELinux installed and enabled is, and should be, the normal state of affairs. Why forgo one of the major features of an Enterprise Linux distribution?
pschaff
Retired Moderator
 
Posts: 18277
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America

Re: centos 6.2 bind slaves permission denied

Postby TrevorH » 2012/01/07 03:29:05

I really recommend that you leave it enabled - it's no longer the beast that it used to be and offers a significant increase in security. If you want to test if it is the problem or not then you can run `setenforce 0` to put it into permissive mode on the fly.

Did you edit the output of the second ls -laZ - all the files there appear to be called the same thing which actually makes debugging incredibly difficult! There is one in that list that has different permissions to all the others - is the real name of that the same as the real message in your logs?

-rw-rw----. named named system_u:object_r:named_zone_t:s0 mydomain.com.hosts
User avatar
TrevorH
Forum Moderator
 
Posts: 9167
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: centos 6.2 bind slaves permission denied

Postby wclune » 2012/01/07 04:38:23

that one record was a bit different from me trying things.
so I started over uninstall bind all of it. delete the directory's and re install. this way i am sure i didn't fuzt it up.

selinux permissive I know but it has been a pain in the past.

output

[root@ns1 slaves]# ls -laZ /var/named/chroot/var/named/slaves/
drwxr-xr-x. root root system_u:object_r:named_zone_t:s0 .
drwxr-x---. root named system_u:object_r:named_zone_t:s0 ..
-rw-r--r--. root root system_u:object_r:named_zone_t:s0 ldrs31.org.hosts

thanks again for your efforts.
wclune
 
Posts: 6
Joined: 2012/01/06 01:01:05

Re: centos 6.2 bind slaves permission denied

Postby TrevorH » 2012/01/07 04:58:46

OK, now the permissions are just wrong :-)

-rw-r--r--. root root system_u:object_r:named_zone_t:s0 ldrs31.org.hosts


This should probably be owned by named:named as should the /var/named/chroot/var/named/slaves/ directory.
User avatar
TrevorH
Forum Moderator
 
Posts: 9167
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Next

Return to CentOS 6 - Networking Support

Who is online

Users browsing this forum: No registered users and 2 guests