I moved the file from /etc to /var/named and now I get an additional error line
printed in /var/log/messages.
Sep 6 15:44:40 ns3 named[15443]: received control channel command 'secroots'
Sep 6 15:44:40 ns3 named[15443]: could not open secroots dump file
'named.secroots': permission denied
Sep 6 15:44:40 ns3 named[15443]: dumpsecroots failed: permission denied
Sep 6 15:44:40 ns3 audit: <audit-1400> { write } for pid=15447 comm="named"
name="named.secroots" dev="dm-0" ino=135707451
scontext=system_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:etc_t:s0
tclass=file permissive=0
This error also appears in the audit.log file and a search is pointing to
SELinux as the hangup. Any pointers on dealing with SELinux would be
appreciated.
type=AVC msg=audit(1536266680.663:75671): avc: denied { write } for
pid=15447 comm="named" name="named.secroots" dev="dm-0" ino=135707451
scontext=system_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:etc_t:s0
tclass=file permissive=0
I left all of the permissions the same and I think they should be lenient
enough:
[root@ns3 named]# ls -lh named.secroots
-rw-rw-rw-. 1 named named 0 Sep 6 13:52 named.secroots
-----Original Message-----
From: Hugo Salgado-Hernández [mailto:hsalg...@nic.cl]
Sent: Thursday, September 06, 2018 3:39 PM
To: Brent Swingle <br...@havilandtelco.com>
Cc: Evan Hunt <e...@isc.org>; bind-users@lists.isc.org
Subject: Re: [BIND] RE: KSK Rollover
Hi Brent.
In out CentOS box, the named.secroots file is written on
/var/named/
You should check permissions there too.
Hugo
On 20:32 06/09, Brent Swingle wrote:
> Evan,
>
> I ran the command and followed the directions to build out rndc as you have
> suggested. However, I am not sure that it made much of a difference. I
> should have been a little clearer from the beginning. I had worked with rndc
> to issue other commands and had received what appeared to be valid responses
> as if rndc was functional. I had somewhat assumed that rndc was baked in
> behind the scenes and ready to go. Either way I it has a rndc.conf and is
> specified in named.conf at this point.
>
> I have two of these servers that are identical from an SW perspective. As a
> test, I issued "rndc secroots" on the server that I have modified to
> configure rndc and observed the following lines appear in the
> /var/log/messages file. When I issued "rndc secroots" from the non-modified
> file I get the same 3 lines. It acts like the process is running but it is
> unable to write output to the named.secroots file.
>
> Sep 6 14:33:13 ns2 named[31189]: received control channel command 'secroots'
> Sep 6 14:33:13 ns2 named[31189]: could not open secroots dump file
> 'named.secroots': permission denied Sep 6 14:33:13 ns2 named[31189]:
> dumpsecroots failed: permission denied
>
>
> As a test, I manually created named.secroots with weakened permissions to see
> if that made a difference but it still won't print output to it.
> [root@ns3 etc]# ls -lh named.secroots
> -rw-rw-rw-. 1 named named 0 Sep 6 13:52 named.secroots
>
>
>
> -----Original Message-----
> From: Evan Hunt [mailto:e...@isc.org]
> Sent: Thursday, September 06, 2018 1:22 PM
> To: Brent Swingle <br...@havilandtelco.com>
> Cc: bind-users@lists.isc.org
> Subject: Re: KSK Rollover
>
> On Thu, Sep 06, 2018 at 05:34:21PM +0000, Brent Swingle wrote:
> > This is the command that does not work and the output received:
> > [root@ns2 ~]# rndc secroots
> > rndc: 'secroots' failed: permission denied
> > [root@ns2 ~]#
>
> Have you set up your server to accept rndc commands?
>
> If not, run "rndc-confgen" and follow the directions.
>
> --
> Evan Hunt -- e...@isc.org
> Internet Systems Consortium, Inc.
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
