mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-29 13:38:26 +00:00
Code Issues Releases Wiki Activity

SE Linux

Browse Source
This commit is contained in:
Mark Andrews 2005-12-21 02:15:31 +00:00
parent dba453de6f
commit 0bec2ce285
2 changed files with 270 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

102
FAQ
View File

@ -542,3 +542,105 @@ A: If the IN-ADDR.ARPA name covered refers to a internal address space you
Future versions of named are likely to do this automatically. Future versions of named are likely to do this automatically.
Q: I'm running BIND on Red Hat Enterprise Linux or Fedora Core -
Why can't named update slave zone database files?
Why can't named create DDNS journal files or update the master zones from
journals?
Why can't named create custom log files?
A: Red Hat Security Enhanced Linux (SELinux) policy security protections :
Red Hat have adopted the National Security Agency's SELinux security
policy ( see http://www.nsa.gov/selinux ) and recommendations for BIND
security , which are more secure than running named in a chroot and make
use of the bind-chroot environment unecessary .
By default, named is not allowed by the SELinux policy to write, create or
delete any files EXCEPT in these directories:
$ROOTDIR/var/named/slaves
$ROOTDIR/var/named/data
$ROOTDIR/var/tmp
where $ROOTDIR may be set in /etc/sysconfig/named if bind-chroot is
installed.
The SELinux policy particularly does NOT allow named to modify the
$ROOTDIR/var/named directory, the default location for master zone
database files.
SELinux policy overrules file access permissions - so even if all the
files under /var/named have ownership named:named and mode rw-rw-r--,
named will still not be able to write or create files except in the
directories above, with SELinux in Enforcing mode.
So, to allow named to update slave or DDNS zone files, it is best to
locate them in $ROOTDIR/var/named/slaves, with named.conf zone statements
such as:
zone "slave.zone." IN {
type slave;
file "slaves/slave.zone.db";
...
};
zone "ddns.zone." IN {
type master;
allow-updates {...};
file "slaves/ddns.zone.db";
};
To allow named to create its cache dump and statistics files, for example,
you could use named.conf options statements such as:
options {
...
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
...
};
You can also tell SELinux to allow named to update any zone database
files, by setting the SELinux tunable boolean parameter
'named_write_master_zones=1', using the system-config-securitylevel GUI,
using the 'setsebool' command, or in /etc/selinux/targeted/booleans.
You can disable SELinux protection for named entirely by setting the
'named_disable_trans=1' SELinux tunable boolean parameter.
The SELinux named policy defines these SELinux contexts for named:
named_zone_t : for zone database files - $ROOTDIR/var/named/*
named_conf_t : for named configuration files - $ROOTDIR/etc/{named,rndc}.*
named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,data}}
If you want to retain use of the SELinux policy for named, and put named
files in different locations, you can do so by changing the context of the
custom file locations .
To create a custom configuration file location, eg. '/root/named.conf', to
use with the 'named -c' option, do:
# chcon system_u:object_r:named_conf_t /root/named.conf
To create a custom modifiable named data location, eg. '/var/log/named'
for a log file, do:
# chcon system_u:object_r:named_cache_t /var/log/named
To create a custom zone file location, eg. /root/zones/, do:
# chcon system_u:object_r:named_zone_t /root/zones/{.,*}
See these man-pages for more information : selinux(8), named_selinux(8),
chcon(1), setsebool(8)

169
FAQ.xml
View File

@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE. - PERFORMANCE OF THIS SOFTWARE.
--> -->
<!-- $Id: FAQ.xml,v 1.8 2005/11/30 03:20:40 marka Exp $ --> <!-- $Id: FAQ.xml,v 1.9 2005/12/21 02:15:29 marka Exp $ -->
<article class="faq"> <article class="faq">
<title>Frequently Asked Questions about BIND 9</title> <title>Frequently Asked Questions about BIND 9</title>
@ -1017,9 +1017,176 @@ empty:
1 3600 1200 604800 10800 ) 1 3600 1200 604800 10800 )
@ 10800 IN NS &lt;name-of-server&gt;.</programlisting> @ 10800 IN NS &lt;name-of-server&gt;.</programlisting>
</informalexample> </informalexample>
<para>
<note> <note>
Future versions of named are likely to do this automatically. Future versions of named are likely to do this automatically.
</note> </note>
</para>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
I'm running BIND on Red Hat Enterprise Linux or Fedora Core -
</para>
<para>
Why can't named update slave zone database files?
</para>
<para>
Why can't named create DDNS journal files or update
the master zones from journals?
</para>
<para>
Why can't named create custom log files?
</para>
</question>
<answer>
<para>
Red Hat Security Enhanced Linux (SELinux) policy security
protections :
</para>
<para>
Red Hat have adopted the National Security Agency's
SELinux security policy ( see http://www.nsa.gov/selinux
) and recommendations for BIND security , which are more
secure than running named in a chroot and make use of
the bind-chroot environment unecessary .
</para>
<para>
By default, named is not allowed by the SELinux policy
to write, create or delete any files EXCEPT in these
directories:
<informalexample>
<programlisting>
$ROOTDIR/var/named/slaves
$ROOTDIR/var/named/data
$ROOTDIR/var/tmp
</programlisting>
</informalexample>
where $ROOTDIR may be set in /etc/sysconfig/named if
bind-chroot is installed.
</para>
<para>
The SELinux policy particularly does NOT allow named to modify
the $ROOTDIR/var/named directory, the default location for master
zone database files.
</para>
<para>
SELinux policy overrules file access permissions - so
even if all the files under /var/named have ownership
named:named and mode rw-rw-r--, named will still not be
able to write or create files except in the directories
above, with SELinux in Enforcing mode.
</para>
<para>
So, to allow named to update slave or DDNS zone files,
it is best to locate them in $ROOTDIR/var/named/slaves,
with named.conf zone statements such as:
<informalexample>
<programlisting>
zone "slave.zone." IN {
type slave;
file "slaves/slave.zone.db";
...
};
zone "ddns.zone." IN {
type master;
allow-updates {...};
file "slaves/ddns.zone.db";
};
</programlisting>
</informalexample>
</para>
<para>
To allow named to create its cache dump and statistics
files, for example, you could use named.conf options
statements such as:
<informalexample>
<programlisting>
options {
...
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
...
};
</programlisting>
</informalexample>
</para>
<para>
You can also tell SELinux to allow named to update any
zone database files, by setting the SELinux tunable boolean
parameter 'named_write_master_zones=1', using the
system-config-securitylevel GUI, using the 'setsebool'
command, or in /etc/selinux/targeted/booleans.
</para>
<para>
You can disable SELinux protection for named entirely by
setting the 'named_disable_trans=1' SELinux tunable boolean
parameter.
</para>
<para>
The SELinux named policy defines these SELinux contexts for named:
<informalexample>
<programlisting>
named_zone_t : for zone database files - $ROOTDIR/var/named/*
named_conf_t : for named configuration files - $ROOTDIR/etc/{named,rndc}.*
named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,data}}
</programlisting>
</informalexample>
</para>
<para>
If you want to retain use of the SELinux policy for named,
and put named files in different locations, you can do
so by changing the context of the custom file locations
.
</para>
<para>
To create a custom configuration file location, eg.
'/root/named.conf', to use with the 'named -c' option,
do:
<informalexample>
<programlisting>
# chcon system_u:object_r:named_conf_t /root/named.conf
</programlisting>
</informalexample>
</para>
<para>
To create a custom modifiable named data location, eg.
'/var/log/named' for a log file, do:
<informalexample>
<programlisting>
# chcon system_u:object_r:named_cache_t /var/log/named
</programlisting>
</informalexample>
</para>
<para>
To create a custom zone file location, eg. /root/zones/, do:
<informalexample>
<programlisting>
# chcon system_u:object_r:named_zone_t /root/zones/{.,*}
</programlisting>
</informalexample>
</para>
<para>
See these man-pages for more information : selinux(8),
named_selinux(8), chcon(1), setsebool(8)
</para>
</answer> </answer>
</qandaentry> </qandaentry>
</qandaset> </qandaset>