Am 10.06.22 um 12:59 schrieb Søren Andersen:
I think the source of the systemd unit file is from:
https://gitlab.isc.org/isc-packages/rpms/bind/-/blob/main/named.service.in
<https://gitlab.isc.org/isc-packages/rpms/bind/-/blob/main/named.service.in>
(And I'm using ISC's repo)
Perhaps Michał Kępień have any idea? 🙂
please don't convert plain-text mails in a reply to HTML, it looks like
after a war when coinverted back to plaintext
as said the line should be removed
[root@srv-rhsoft:~]$ cat /etc/systemd/system/named.service
[Unit]
Description=DNS Server
After=network-up.service
Requires=network-online.target network-up.service
[Service]
Type=simple
ExecStartPre=/usr/libexec/setup-named-chroot.sh /var/named/chroot on
/etc/named-chroot.files
ExecStartPre=/usr/sbin/named-checkconf -t /var/named/chroot -z
/etc/named.conf
ExecStart=/usr/sbin/named -4 -f -u named -t /var/named/chroot
ExecReload=/usr/bin/kill -HUP $MAINPID
ExecStop=/usr/bin/kill -TERM $MAINPID
ExecStopPost=/usr/libexec/setup-named-chroot.sh /var/named/chroot off
/etc/named-chroot.files
PermissionsStartOnly=true
TimeoutSec=25
Restart=always
RestartSec=1
PrivateTmp=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_INET AF_INET6 AF_LOCAL AF_UNIX AF_NETLINK
RestrictRealtime=yes
SystemCallArchitectures=native
CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_NET_BIND_SERVICE CAP_SETGID
CAP_SETUID CAP_SYS_CHROOT
SystemCallFilter=@system-service @network-io @mount
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module
@obsolete @raw-io @reboot @resources @swap
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
ProtectHome=yes
ProtectHostname=yes
RestrictNamespaces=yes
RestrictSUIDSGID=yes
------------------------------------------------------------------------
*From:* bind-users <bind-users-boun...@lists.isc.org> on behalf of
Reindl Harald <h.rei...@thelounge.net>
*Sent:* Friday, 10 June 2022 12.53
*To:* bind-users@lists.isc.org <bind-users@lists.isc.org>
*Subject:* Re: Unable to start Bind on a fresh RHEL 8.6 system with
enforcing SELinux
[EKSTERN MAIL]
Am 10.06.22 um 10:52 schrieb Søren Andersen:
I've installed a fresh BIND on a RHEL 8.6 system with enforcing SElinux,
and when I try to start BIND with the provided systemd unit file it just
waits and timeout, and also logs these errors in /var/log/message
Jun 10 10:09:25 systemd[1]: isc-bind-named.service: Can't convert PID
files /var/opt/isc/scls/isc-bind/run/named/named.pid O_PATH file
descriptor to proper file descriptor: Permission denied
Jun 10 10:09:25 systemd[1]: isc-bind-named.service: Can't convert PID
files /var/opt/isc/scls/isc-bind/run/named/named.pid O_PATH file
descriptor to proper file descriptor: Permission denied
If I remove PIDFile in the systemd unit it just works fine..
[Service]
Type=forking
EnvironmentFile=-/etc/opt/isc/scls/isc-bind/sysconfig/named
#PIDFile=/var/opt/isc/scls/isc-bind/run/named/named.pid
ExecStart=/opt/isc/isc-bind/root/usr/sbin/named -u named $OPTIONS
ExecReload=/bin/kill -HUP $MAINPID
ExecStop=/bin/kill -TERM $MAINPID
PrivateTmp=true
Anyone else experiences this?
PIDFile shouldn't be needed at all - esepcially for threaded services
it's useless, systemd knows the PID anyways
if that option is used in the provided systemd-unit one should ask the
guy who have written it: why?
if it would be useful my "ExecReload=/usr/bin/kill -HUP $MAINPID" won't
work for nearly 10 years without "PIDFile" (no i won't use and configure
rndc - keep it simple)
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
