----- Original Message -----
From: "ToddAndMargo" <toddandma...@zoho.com>
To: bind-users@lists.isc.org
Sent: Friday, August 11, 2017 10:39:11 PM
Subject: Confused about SELinux error
Hi All,
What does this SELinux error mean when I start bin-chroot?
# semanage fcontext -a -t FILE_TYPE 'session.key'
where FILE_TYPE is one of the following: dnssec_trigger_var_run_t,
ipa_var_lib_t, krb5_host_rcache_t, krb5_keytab_t, named_cache_t,
named_log_t, named_tmp_t, named_var_run_t.
# semanage fcontext -a -t named_var_run_t 'session.key'
# restorecon -v 'session.key'
How am I suppose to know what "FILE_TYPE" they are talking about?
-T
On 08/14/2017 06:26 AM, Petr Mensik wrote:
Hi Todd,
that means you are trying to save session.key into directory where SELinux is
forbidding write access to named.
Session.key is file created once per start and removed before shutdown. I think
you have something wrong with link /var/run/named -> /run/named link.
Default built-in value is /var/run/named/session.key. Default Fedora
configuration uses /run/named/session.key. Both paths should work without
difference.
Correct selinux type for files in /run/named is named_var_run_t. I think you
should run instead:
$ restorecon -rv /run/named /var/run/named
Then restart named service. Context of a new file should be already correct.
Do you have this option in you configuration file? What is its value?
# options { ...
session-keyfile "/run/named/session.key";
It would be helpful if you include you configuration in readable form, please.
Chuckle. I promise not to use zoho's web mail. And
I tough gMail's web mail stunk!
Listed types are more likely types named is allowed to touch. I admit SELinux
errors are often confusing. What you written here are hints to you how to solve
the error, not the error itself.
More helpful errors would be printed by:
$ ausearch -i -ts today -m avc -m user_avc -m selinux_err
Regards,
Petr
--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemen...@redhat.com PGP: 65C6C973
Hi Petr,
Thank you for responding! I have attached by my
named.conf and my dhcpd.conf
I have an rndc.key in /var/named/chroot/etc/:
key "rndckey" {
algorithm hmac-md5;
secret "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
};
But I don't see named.conf calling it out. It may
be a hold over from the previous CentOS 5 installation.
I do see "key DHCP_UPDATER" called out. Perhaps
that is what rndckey is about?
-T
~~~~~~~~~~~~~ named.conf ~~~~~~~~~~~~~~~
options {
# the following forwarders is for Open DNS
forwarders { 208.67.222.222; 208.67.220.220; };
directory "/var/named";
};
zone "." {
type hint;
file "named.ca";
};
key DHCP_UPDATER {
algorithm hmac-md5;
secret xxxxxxxxxxxxxxxxxxxxxxxx;
};
zone "xxxx.local" {
type master;
file "slaves/xxxxx.hosts";
allow-update { key DHCP_UPDATER; };
# allow-update { 127.0.0.1; };
};
zone "yyy.168.192.in-addr.arpa" {
type master;
file "slaves/xxxxx.hosts.rev";
allow-update { key DHCP_UPDATER; };
# allow-update { 127.0.0.1; };
};
zone "0.0.127.in-addr.arpa" {
type master;
file "named.local";
};
logging {
channel update_debug {
file "slaves/named-update-debug.log";
severity debug 3;
print-category yes;
print-severity yes;
print-time yes;
};
channel security_info {
file "slaves/named-auth.info";
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category update { update_debug; };
category security { security_info; };
};
~~~~~~~~~~~~~ dhcpd.conf ~~~~~~~~~~~~~~~
DHCPDARGS=eno1;
ddns-updates on;
ddns-update-style interim;
ignore client-updates;
update-static-leases on;
option ntp-servers 192.168.xxx.yyy;
option domain-name "xxxxxx.local";
option domain-name-servers 192.168.xxx.yyy;
option netbios-node-type 8;
key DHCP_UPDATER {
algorithm hmac-md5;
secret xxxxxxxxxxxxxxxxxxxxxxx;
};
zone xxxxx.local. {
primary 127.0.0.1;
key DHCP_UPDATER;
}
zone xxx.168.192.in-addr.arpa. {
primary 127.0.0.1;
key DHCP_UPDATER;
}
subnet 192.168.xxx.0 netmask 255.255.255.0 {
range 192.168.xxx.100 192.168.xxx.200;
default-lease-time 10368000;
max-lease-time 10368000;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.xxx.255;
option routers 192.168.xxx.yyy;
option domain-name-servers 192.168.xxx.yyy;
option domain-name "xxxxxx.local";
option time-offset 39600;
option ip-forwarding off;
option netbios-node-type 1;
# numerous fix IP removed for brevity
}
subnet aaa.bbb.ccc.ddd netmask 255.255.255.252 {}
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
