I moved the file from /etc to /var/named and now I get an additional error line 
printed in /var/log/messages.

Sep  6 15:44:40 ns3 named[15443]: received control channel command 'secroots'
Sep  6 15:44:40 ns3 named[15443]: could not open secroots dump file 
'named.secroots': permission denied
Sep  6 15:44:40 ns3 named[15443]: dumpsecroots failed: permission denied
Sep  6 15:44:40 ns3 audit: <audit-1400> { write } for  pid=15447 comm="named" 
name="named.secroots" dev="dm-0" ino=135707451 
scontext=system_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 
tclass=file permissive=0


This error also appears in the audit.log file and a search is pointing to 
SELinux as the hangup.  Any pointers on dealing with SELinux would be 
appreciated.

type=AVC msg=audit(1536266680.663:75671): avc:  denied  { write } for  
pid=15447 comm="named" name="named.secroots" dev="dm-0" ino=135707451 
scontext=system_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 
tclass=file permissive=0


I left all of the permissions the same and I think they should be lenient 
enough:
[root@ns3 named]# ls -lh named.secroots
-rw-rw-rw-. 1 named named 0 Sep  6 13:52 named.secroots




-----Original Message-----
From: Hugo Salgado-Hernández [mailto:hsalg...@nic.cl] 
Sent: Thursday, September 06, 2018 3:39 PM
To: Brent Swingle <br...@havilandtelco.com>
Cc: Evan Hunt <e...@isc.org>; bind-users@lists.isc.org
Subject: Re: [BIND] RE: KSK Rollover

Hi Brent.
In out CentOS box, the named.secroots file is written on
  /var/named/

You should check permissions there too.

Hugo

On 20:32 06/09, Brent Swingle wrote:
> Evan,
> 
> I ran the command and followed the directions to build out rndc as you have 
> suggested.  However, I am not sure that it made much of a difference.  I 
> should have been a little clearer from the beginning.  I had worked with rndc 
> to issue other commands and had received what appeared to be valid responses 
> as if rndc was functional.  I had somewhat assumed that rndc was baked in 
> behind the scenes and ready to go.  Either way I it has a rndc.conf and is 
> specified in named.conf at this point.
> 
> I have two of these servers that are identical from an SW perspective.  As a 
> test, I issued "rndc secroots" on the server that I have modified to 
> configure rndc and observed the following lines appear in the 
> /var/log/messages file.  When I issued "rndc secroots" from the non-modified 
> file I get the same 3 lines.  It acts like the process is running but it is 
> unable to write output to the named.secroots file.
> 
> Sep  6 14:33:13 ns2 named[31189]: received control channel command 'secroots'
> Sep  6 14:33:13 ns2 named[31189]: could not open secroots dump file 
> 'named.secroots': permission denied Sep  6 14:33:13 ns2 named[31189]: 
> dumpsecroots failed: permission denied
> 
> 
> As a test, I manually created named.secroots with weakened permissions to see 
> if that made a difference but it still won't print output to it.
> [root@ns3 etc]# ls -lh named.secroots
> -rw-rw-rw-. 1 named named 0 Sep  6 13:52 named.secroots
> 
> 
> 
> -----Original Message-----
> From: Evan Hunt [mailto:e...@isc.org]
> Sent: Thursday, September 06, 2018 1:22 PM
> To: Brent Swingle <br...@havilandtelco.com>
> Cc: bind-users@lists.isc.org
> Subject: Re: KSK Rollover
> 
> On Thu, Sep 06, 2018 at 05:34:21PM +0000, Brent Swingle wrote:
> > This is the command that does not work and the output received:
> > [root@ns2 ~]# rndc secroots
> > rndc: 'secroots' failed: permission denied
> > [root@ns2 ~]#
> 
> Have you set up your server to accept rndc commands?
> 
> If not, run "rndc-confgen" and follow the directions.
> 
> --
> Evan Hunt -- e...@isc.org
> Internet Systems Consortium, Inc.
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
> unsubscribe from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to