[CentOS] Re: DNS Logging with Selinux enabled
Josh Donovan wrote: --- On Thu, 11/9/08, Ralph Angenendt [EMAIL PROTECTED] wrote: From: Ralph Angenendt [EMAIL PROTECTED] Subject: Re: [CentOS] DNS Logging with Selinux enabled To: CentOS mailing list centos@centos.org Date: Thursday, 11 September, 2008, 5:48 PM That doesn't matter. For the normal targeted policy only the last part of the policy listing is important (named_log_t in this case). Cheers, Ralph PS: Please trim your mails That did it. Its a wonder how upstream never fix these issues, considering the average admin would like to log dns queries in a chroot. As for trimming the mail its a while since I was on the mailing list, but I remembered not to top post. :-) When I asked about a similar problem a while back, the SELinux folks told me that bind-chroot was not supported under SELinux because SELinux already provides better protection. -- Bob Nichols NOSPAM is really part of my email address. Do NOT delete it. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Re: DNS Logging with Selinux enabled
Robert Nichols wrote: When I asked about a similar problem a while back, the SELinux folks told me that bind-chroot was not supported under SELinux because SELinux already provides better protection. That is wrong. Every release of Fedora comes out and people ask how to configure bind to work in a chroot with selinux enabled. As Fedora is a testbed for upstream, we should have these things ironed out. Possibly having a separate SELinux/Docs mailing list means they may not be aware of what is going on in the mainstream. Some of the old Fedora Docs are informative. Even a work in progress like http://fedoraproject.org/wiki/Docs/Drafts/AdministrationGuide/Servers/DNSBIND/BINDChroot shows bind-chroot can work with SELinux ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Re: DNS Logging with Selinux enabled
Josh Donovan wrote: Robert Nichols wrote: When I asked about a similar problem a while back, the SELinux folks told me that bind-chroot was not supported under SELinux because SELinux already provides better protection. That is wrong. Every release of Fedora comes out and people ask how to configure bind to work in a chroot with selinux enabled. As Fedora is a testbed for upstream, we should have these things ironed out. Possibly having a separate SELinux/Docs mailing list means they may not be aware of what is going on in the mainstream. Some of the old Fedora Docs are informative. Even a work in progress like http://fedoraproject.org/wiki/Docs/Drafts/AdministrationGuide/Servers/DNSBIND/BINDChroot shows bind-chroot can work with SELinux Can work, yes. Does upstream care that it doesn't install and work cleanly, no. That's the word I got from upstream (fedora-selinux-list). -- Bob Nichols NOSPAM is really part of my email address. Do NOT delete it. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Re: DNS Logging with Selinux enabled
On Friday 12 September 2008 14:56, Robert Nichols wrote: Josh Donovan wrote: Robert Nichols wrote: When I asked about a similar problem a while back, the SELinux folks told me that bind-chroot was not supported under SELinux because SELinux already provides better protection. That is wrong. Every release of Fedora comes out and people ask how to configure bind to work in a chroot with selinux enabled. As Fedora is a testbed for upstream, we should have these things ironed out. Possibly having a separate SELinux/Docs mailing list means they may not be aware of what is going on in the mainstream. Some of the old Fedora Docs are informative. Even a work in progress like http://fedoraproject.org/wiki/Docs/Drafts/AdministrationGuide/Servers/DN SBIND/BINDChroot shows bind-chroot can work with SELinux Can work, yes. Does upstream care that it doesn't install and work cleanly, no. That's the word I got from upstream (fedora-selinux-list). bind-chroot works fine. The question is not if it work but if you are configuring it to work in that environment. With SELinux running and bind in a chroot environment it is allowed to write to slave/ and data/ (this is going from memory haven't had to setup bind-chroot in some time) As long as you setup your logging to data/ it will log everything and not complain. Only when you setup a custom server do you have issues. -- Regards Robert It is not just an adventure. It is my job!! Linux User #296285 http://counter.li.org ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
