SE Linux

2025-08-29 13:38:26 +00:00 · 2005-12-21 02:15:31 +00:00 · 2005-12-21 02:15:31 +00:00 · 0bec2ce285
commit 0bec2ce285
parent dba453de6f
2 changed files with 270 additions and 1 deletions
--- a/102
+++ b/102
@ -542,3 +542,105 @@ A: If the IN-ADDR.ARPA name covered refers to a internal address space you

   Future versions of named are likely to do this automatically.

+Q: I'm running BIND on Red Hat Enterprise Linux or Fedora Core -
+
+   Why can't named update slave zone database files?
+
+   Why can't named create DDNS journal files or update the master zones from
+   journals?
+
+   Why can't named create custom log files?
+
+A: Red Hat Security Enhanced Linux (SELinux) policy security protections :
+
+   Red Hat have adopted the National Security Agency's SELinux security
+   policy ( see http://www.nsa.gov/selinux ) and recommendations for BIND
+   security , which are more secure than running named in a chroot and make
+   use of the bind-chroot environment unecessary .
+
+   By default, named is not allowed by the SELinux policy to write, create or
+   delete any files EXCEPT in these directories:
+
+   $ROOTDIR/var/named/slaves
+   $ROOTDIR/var/named/data
+   $ROOTDIR/var/tmp
+
+
+   where $ROOTDIR may be set in /etc/sysconfig/named if bind-chroot is
+   installed.
+
+   The SELinux policy particularly does NOT allow named to modify the
+   $ROOTDIR/var/named directory, the default location for master zone
+   database files.
+
+   SELinux policy overrules file access permissions - so even if all the
+   files under /var/named have ownership named:named and mode rw-rw-r--,
+   named will still not be able to write or create files except in the
+   directories above, with SELinux in Enforcing mode.
+
+   So, to allow named to update slave or DDNS zone files, it is best to
+   locate them in $ROOTDIR/var/named/slaves, with named.conf zone statements
+   such as:
+
+   zone "slave.zone." IN {
+           type slave;
+           file "slaves/slave.zone.db";
+           ...
+   };
+   zone "ddns.zone." IN  {
+           type master;
+           allow-updates {...};
+           file "slaves/ddns.zone.db";
+   };
+
+
+   To allow named to create its cache dump and statistics files, for example,
+   you could use named.conf options statements such as:
+
+   options {
+           ...
+           dump-file "/var/named/data/cache_dump.db";
+           statistics-file "/var/named/data/named_stats.txt";
+           ...
+   };
+
+
+   You can also tell SELinux to allow named to update any zone database
+   files, by setting the SELinux tunable boolean parameter
+   'named_write_master_zones=1', using the system-config-securitylevel GUI,
+   using the 'setsebool' command, or in /etc/selinux/targeted/booleans.
+
+   You can disable SELinux protection for named entirely by setting the
+   'named_disable_trans=1' SELinux tunable boolean parameter.
+
+   The SELinux named policy defines these SELinux contexts for named:
+
+   named_zone_t : for zone database files       - $ROOTDIR/var/named/*
+   named_conf_t : for named configuration files - $ROOTDIR/etc/{named,rndc}.*
+   named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,data}}
+
+
+   If you want to retain use of the SELinux policy for named, and put named
+   files in different locations, you can do so by changing the context of the
+   custom file locations .
+
+   To create a custom configuration file location, eg. '/root/named.conf', to
+   use with the 'named -c' option, do:
+
+   # chcon system_u:object_r:named_conf_t /root/named.conf
+
+
+   To create a custom modifiable named data location, eg. '/var/log/named'
+   for a log file, do:
+
+   # chcon system_u:object_r:named_cache_t /var/log/named
+
+
+   To create a custom zone file location, eg. /root/zones/, do:
+
+   # chcon system_u:object_r:named_zone_t /root/zones/{.,*}
+
+
+   See these man-pages for more information : selinux(8), named_selinux(8),
+   chcon(1), setsebool(8)
+
--- a/FAQ.xml
+++ b/FAQ.xml
@ -17,7 +17,7 @@
 - PERFORMANCE OF THIS SOFTWARE.
 -->

-<!-- $Id: FAQ.xml,v 1.8 2005/11/30 03:20:40 marka Exp $ -->
+<!-- $Id: FAQ.xml,v 1.9 2005/12/21 02:15:29 marka Exp $ -->

 <article class="faq">
  <title>Frequently Asked Questions about BIND 9</title>
@ -1017,9 +1017,176 @@ empty:
 	       1 3600 1200 604800 10800 )
@ 10800 IN NS &lt;name-of-server&gt;.</programlisting>
 	</informalexample>
+	<para>
 	<note>
 	  Future versions of named are likely to do this automatically.
 	</note>
+	</para>
+      </answer>
+    </qandaentry>
+
+    <qandaentry>
+      <question>
+	<para>
+	   I'm running BIND on Red Hat Enterprise Linux or Fedora Core -
+	</para>
+	<para>
+	  Why can't named update slave zone database files?
+	</para>
+	<para>
+	  Why can't named create DDNS journal files or update
+	  the master zones from journals?
+	</para>
+	<para>
+	  Why can't named create custom log files?
+	</para>
+      </question>
+
+      <answer>
+	<para>
+	  Red Hat Security Enhanced Linux (SELinux) policy security
+	  protections :
+	</para>
+
+	<para>
+	   Red Hat have adopted the National Security Agency's
+	   SELinux security policy ( see http://www.nsa.gov/selinux
+	   ) and recommendations for BIND security , which are more
+	   secure than running named in a chroot and make use of
+	   the bind-chroot environment unecessary .
+	</para>
+
+	<para>
+	  By default, named is not allowed by the SELinux policy
+	  to write, create or delete any files EXCEPT in these
+	  directories:
+	  <informalexample>
+	    <programlisting>
+$ROOTDIR/var/named/slaves
+$ROOTDIR/var/named/data
+$ROOTDIR/var/tmp
+	    </programlisting>
+	  </informalexample>
+	  where $ROOTDIR may be set in /etc/sysconfig/named if
+	  bind-chroot is installed.
+	</para>
+
+	<para>
+	  The SELinux policy particularly does NOT allow named to modify
+	  the $ROOTDIR/var/named directory, the default location for master
+	  zone database files.
+	</para>
+
+	<para>
+	  SELinux policy overrules file access permissions - so
+	  even if all the files under /var/named have ownership
+	  named:named and mode rw-rw-r--, named will still not be
+	  able to write or create files except in the directories
+	  above, with SELinux in Enforcing mode.
+	</para>
+  
+	<para>
+	  So, to allow named to update slave or DDNS zone files,
+	  it is best to locate them in $ROOTDIR/var/named/slaves,
+	  with named.conf zone statements such as:
+	  <informalexample>
+	    <programlisting>
+zone "slave.zone." IN {
+	type slave;
+	file "slaves/slave.zone.db";
+	...
+};   
+zone "ddns.zone." IN  {
+	type master;
+	allow-updates {...};
+	file "slaves/ddns.zone.db";
+};
+	    </programlisting>
+	  </informalexample>
+	</para>
+
+	<para>
+	  To allow named to create its cache dump and statistics
+	  files, for example, you could use named.conf options
+	  statements such as:
+	  <informalexample>
+	    <programlisting>
+options {
+	...
+	dump-file "/var/named/data/cache_dump.db";
+	statistics-file "/var/named/data/named_stats.txt";
+	...
+};
+	    </programlisting>
+	  </informalexample>
+	</para>
+
+	<para>
+	  You can also tell SELinux to allow named to update any
+	  zone database files, by setting the SELinux tunable boolean
+	  parameter 'named_write_master_zones=1', using the
+	  system-config-securitylevel GUI, using the 'setsebool'
+	  command, or in /etc/selinux/targeted/booleans.
+	</para>
+  
+	<para>
+	  You can disable SELinux protection for named entirely by
+	  setting the 'named_disable_trans=1' SELinux tunable boolean
+	  parameter.
+	</para>
+    
+	<para>
+	  The SELinux named policy defines these SELinux contexts for named:
+	  <informalexample>
+	    <programlisting>
+named_zone_t : for zone database files       - $ROOTDIR/var/named/*
+named_conf_t : for named configuration files - $ROOTDIR/etc/{named,rndc}.*
+named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,data}}
+	    </programlisting>
+	  </informalexample>
+	</para>
+   
+	<para>
+	  If you want to retain use of the SELinux policy for named,
+	  and put named files in different locations, you can do
+	  so by changing the context of the custom file locations
+	  .
+	</para>
+
+	<para>
+	  To create a custom configuration file location, eg.
+	  '/root/named.conf', to use with the 'named -c' option,
+	  do:
+	  <informalexample>
+	    <programlisting>
+# chcon system_u:object_r:named_conf_t /root/named.conf
+	    </programlisting>
+	  </informalexample>
+	</para>
+  
+	<para>
+	  To create a custom modifiable named data location, eg.
+	  '/var/log/named' for a log file, do:
+	  <informalexample>
+	    <programlisting>
+# chcon system_u:object_r:named_cache_t /var/log/named
+	    </programlisting>
+	  </informalexample>
+	</para>
+   
+	<para>
+   To create a custom zone file location, eg. /root/zones/, do:
+	  <informalexample>
+	    <programlisting>
+# chcon system_u:object_r:named_zone_t /root/zones/{.,*}
+	    </programlisting>
+	  </informalexample>
+	</para>
+  
+	<para>
+	  See these man-pages for more information : selinux(8),
+	  named_selinux(8), chcon(1), setsebool(8)
+	</para>
      </answer>
    </qandaentry>
  </qandaset>