On Fri, 11 Sep 2009, Andrews, Harold G CTR USAF HQ AF GCIC/CT wrote:
I’m having a bit of difficulty setting up bind on FC11 (x64) which I’m using in a standalone network environment (i.e. no external network connectivity; essentially a closed dev network). I loaded the package from Red Hat and started it running as a service after building my zone files and /etc/named.conf. I’m not using chroot, just vanilla bind. I’ve read a number of posts about conflicts with bind and SELinux which seems to be the issue here. When I set the named_write_master_zones flag in SELinux, any actions related to starting or stopping the named service seem to set the flag back to false.
Adam is the person to ask about SElinux and Bind. I've CC:ed him and included the message for him. Adam, can you help Harold? Paul
> restorecon –R –v /var/named > setsebool -P named_write_master_zones=1 Message log entry: Sep 11 17:13:11 netmgr setsebool: The named_write_master_zones policy boolean was changed to 1 by root > service named restart Message log entry: Sep 11 17:13:19 netmgr setsebool: The named_write_master_zones policy boolean was changed to 0 by root Sep 11 17:13:19 netmgr named[3198]: received control channel command 'stop' Sep 11 17:13:19 netmgr named[3198]: shutting down: flushing changes Sep 11 17:13:19 netmgr named[3198]: stopping command channel on 127.0.0.1#953 Sep 11 17:13:19 netmgr named[3198]: stopping command channel on ::1#953 Sep 11 17:13:19 netmgr named[3198]: no longer listening on 127.0.0.1#53 Sep 11 17:13:19 netmgr named[3198]: no longer listening on 192.168.2.0#53 Sep 11 17:13:19 netmgr named[3198]: no longer listening on ::1#53 Sep 11 17:13:19 netmgr named[3198]: exiting Sep 11 17:13:20 netmgr named[3270]: starting BIND 9.6.1-P1-RedHat-9.6.1-4.P1.fc11 -u named Sep 11 17:13:20 netmgr named[3270]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS= -DDIG_SIGCHASE' Sep 11 17:13:20 netmgr named[3270]: adjusted limit on open files from 1024 to 1048576 Sep 11 17:13:20 netmgr named[3270]: found 4 CPUs, using 4 worker threads Sep 11 17:13:20 netmgr named[3270]: using up to 4096 sockets Sep 11 17:13:20 netmgr named[3270]: loading configuration from '/etc/named.conf' Sep 11 17:13:20 netmgr named[3270]: using default UDP/IPv4 port range: [1024, 65535] Sep 11 17:13:20 netmgr named[3270]: using default UDP/IPv6 port range: [1024, 65535] Sep 11 17:13:20 netmgr named[3270]: listening on IPv4 interface lo, 127.0.0.1#53 Sep 11 17:13:20 netmgr named[3270]: listening on IPv4 interface eth0, 192.168.2.0#53 Sep 11 17:13:20 netmgr named[3270]: listening on IPv6 interface lo, ::1#53 Sep 11 17:13:20 netmgr named[3270]: automatic empty zone: 127.IN-ADDR.ARPA Sep 11 17:13:20 netmgr named[3270]: automatic empty zone: 254.169.IN-ADDR.ARPA Sep 11 17:13:20 netmgr named[3270]: automatic empty zone: 2.0.192.IN-ADDR.ARPA Sep 11 17:13:20 netmgr named[3270]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA Sep 11 17:13:20 netmgr named[3270]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA Sep 11 17:13:20 netmgr named[3270]: automatic empty zone: D.F.IP6.ARPA Sep 11 17:13:20 netmgr named[3270]: automatic empty zone: 8.E.F.IP6.ARPA Sep 11 17:13:20 netmgr named[3270]: automatic empty zone: 9.E.F.IP6.ARPA Sep 11 17:13:20 netmgr named[3270]: automatic empty zone: A.E.F.IP6.ARPA Sep 11 17:13:20 netmgr named[3270]: automatic empty zone: B.E.F.IP6.ARPA Sep 11 17:13:20 netmgr named[3270]: command channel listening on 127.0.0.1#953 Sep 11 17:13:20 netmgr named[3270]: command channel listening on ::1#953 Sep 11 17:13:20 netmgr named[3270]: the working directory is not writable Sep 11 17:13:20 netmgr named[3270]: zone 0.in-addr.arpa/IN: NS '0.in-addr.arpa' has no address records (A or AAAA) Sep 11 17:13:20 netmgr named[3270]: zone 0.in-addr.arpa/IN: loaded serial 0 Sep 11 17:13:20 netmgr named[3270]: zone 1.0.0.127.in-addr.arpa/IN: NS '1.0.0.127.in-addr.arpa' has no address records (A or AAAA) Sep 11 17:13:20 netmgr named[3270]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 Sep 11 17:13:20 netmgr named[3270]: zone 2.168.192.in-addr.arpa/IN: NS 'netmgr.2.168.192.in-addr.arpa' has no address records (A or AAAA) Sep 11 17:13:20 netmgr named[3270]: zone 2.168.192.in-addr.arpa/IN: loaded serial 9091101 Sep 11 17:13:20 netmgr named[3270]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: NS '1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa' has no address records (A or AAAA) Sep 11 17:13:20 netmgr named[3270]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0 Sep 11 17:13:20 netmgr named[3270]: zone localhost.localdomain/IN: loaded serial 0 Sep 11 17:13:20 netmgr named[3270]: zone localhost/IN: loaded serial 0 Sep 11 17:13:20 netmgr named[3270]: zone u-giif.af.mil/IN: loaded serial 9091103 Sep 11 17:13:20 netmgr named[3270]: running Sep 11 17:13:22 netmgr setroubleshoot: SELinux is preventing the named daemon from writing to the zone directory For complete SELinux messages. run sealert -l d8456462-ce0f-4372-89ac-fafae8a6be35 Thoughts as to how to convince SELinux that I wasn’t kidding? Thanks. -Andy
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
