Confused about SELinux error

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Confused about SELinux error

Todd Chester
Hi All,

What does this SELinux error mean when I start bin-chroot?

      # semanage fcontext -a -t FILE_TYPE 'session.key'

      where FILE_TYPE is one of the following: dnssec_trigger_var_run_t,
      ipa_var_lib_t, krb5_host_rcache_t, krb5_keytab_t, named_cache_t,
      named_log_t, named_tmp_t, named_var_run_t.

     # semanage fcontext -a -t named_var_run_t 'session.key'
     # restorecon -v 'session.key'


How am I suppose to know what "FILE_TYPE" they are talking about?

-T


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Confused about SELinux error

Petr Mensik
Hi Todd,

that means you are trying to save session.key into directory where SELinux is forbidding write access to named.
Session.key is file created once per start and removed before shutdown. I think you have something wrong with link /var/run/named -> /run/named link.
Default built-in value is /var/run/named/session.key. Default Fedora configuration uses /run/named/session.key. Both paths should work without difference.

Correct selinux type for files in /run/named is named_var_run_t. I think you should run instead:
$ restorecon -rv /run/named /var/run/named

Then restart named service. Context of a new file should be already correct.

Do you have this option in you configuration file? What is its value?
# options { ...
session-keyfile "/run/named/session.key";

It would be helpful if you include you configuration in readable form, please.

Listed types are more likely types named is allowed to touch. I admit SELinux errors are often confusing. What you written here are hints to you how to solve the error, not the error itself.
More helpful errors would be printed by:
$ ausearch -i -ts today -m avc -m user_avc -m selinux_err

Regards,
Petr
--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: [hidden email]  PGP: 65C6C973

----- Original Message -----
From: "ToddAndMargo" <[hidden email]>
To: [hidden email]
Sent: Friday, August 11, 2017 10:39:11 PM
Subject: Confused about SELinux error

Hi All,

What does this SELinux error mean when I start bin-chroot?

      # semanage fcontext -a -t FILE_TYPE 'session.key'

      where FILE_TYPE is one of the following: dnssec_trigger_var_run_t,
      ipa_var_lib_t, krb5_host_rcache_t, krb5_keytab_t, named_cache_t,
      named_log_t, named_tmp_t, named_var_run_t.

     # semanage fcontext -a -t named_var_run_t 'session.key'
     # restorecon -v 'session.key'


How am I suppose to know what "FILE_TYPE" they are talking about?

-T


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Confused about SELinux error

Todd Chester
>> ----- Original Message -----
>> From: "ToddAndMargo" <[hidden email]>
>> To: [hidden email]
>> Sent: Friday, August 11, 2017 10:39:11 PM
>> Subject: Confused about SELinux error
>>
>> Hi All,
>>
>> What does this SELinux error mean when I start bin-chroot?
>>
>>        # semanage fcontext -a -t FILE_TYPE 'session.key'
>>
>>        where FILE_TYPE is one of the following: dnssec_trigger_var_run_t,
>>        ipa_var_lib_t, krb5_host_rcache_t, krb5_keytab_t, named_cache_t,
>>        named_log_t, named_tmp_t, named_var_run_t.
>>
>>       # semanage fcontext -a -t named_var_run_t 'session.key'
>>       # restorecon -v 'session.key'
>>
>>
>> How am I suppose to know what "FILE_TYPE" they are talking about?
>>
>> -T

On 08/14/2017 06:26 AM, Petr Mensik wrote:

> Hi Todd,
>
> that means you are trying to save session.key into directory where SELinux is forbidding write access to named.
> Session.key is file created once per start and removed before shutdown. I think you have something wrong with link /var/run/named -> /run/named link.
> Default built-in value is /var/run/named/session.key. Default Fedora configuration uses /run/named/session.key. Both paths should work without difference.
>
> Correct selinux type for files in /run/named is named_var_run_t. I think you should run instead:
> $ restorecon -rv /run/named /var/run/named
>
> Then restart named service. Context of a new file should be already correct.
>
> Do you have this option in you configuration file? What is its value?
> # options { ...
> session-keyfile "/run/named/session.key";
>
> It would be helpful if you include you configuration in readable form, please.

Chuckle.  I promise not to use zoho's web mail.  And
I tough gMail's web mail stunk!


> Listed types are more likely types named is allowed to touch. I admit SELinux errors are often confusing. What you written here are hints to you how to solve the error, not the error itself.
> More helpful errors would be printed by:
> $ ausearch -i -ts today -m avc -m user_avc -m selinux_err
>
> Regards,
> Petr
> --
> Petr Menšík
> Software Engineer
> Red Hat, http://www.redhat.com/
> email: [hidden email]  PGP: 65C6C973
>


Hi Petr,

Thank you for responding!  I have attached by my
named.conf and my dhcpd.conf

I have an rndc.key in /var/named/chroot/etc/:

key "rndckey" {
        algorithm hmac-md5;
        secret "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
};


But I don't see named.conf calling it out.  It may
be a hold over from the previous CentOS 5 installation.

I do see "key DHCP_UPDATER" called out.  Perhaps
that is what rndckey is about?

-T



~~~~~~~~~~~~~ named.conf ~~~~~~~~~~~~~~~
options {
         # the following forwarders is for Open DNS
        forwarders { 208.67.222.222; 208.67.220.220; };
        directory "/var/named";
};

zone "." {
        type hint;
        file "named.ca";
};

key DHCP_UPDATER {
     algorithm hmac-md5;
     secret xxxxxxxxxxxxxxxxxxxxxxxx;
};

zone "xxxx.local" {
        type master;
        file "slaves/xxxxx.hosts";
         allow-update { key DHCP_UPDATER; };
#       allow-update { 127.0.0.1; };
};

zone "yyy.168.192.in-addr.arpa" {
        type master;
        file "slaves/xxxxx.hosts.rev";
         allow-update { key DHCP_UPDATER; };
#       allow-update { 127.0.0.1; };
};

zone "0.0.127.in-addr.arpa" {
        type master;
        file "named.local";
};

logging {
      channel update_debug {
           file "slaves/named-update-debug.log";
           severity  debug 3;
           print-category yes;
           print-severity yes;
           print-time     yes;
       };
           channel security_info    {
           file "slaves/named-auth.info";
           severity  info;
           print-category yes;
           print-severity yes;
           print-time     yes;
       };

       category update { update_debug; };
       category security { security_info; };
};


~~~~~~~~~~~~~ dhcpd.conf ~~~~~~~~~~~~~~~
DHCPDARGS=eno1;
ddns-updates on;
ddns-update-style interim;
ignore client-updates;
update-static-leases on;

option ntp-servers 192.168.xxx.yyy;
option domain-name "xxxxxx.local";
option domain-name-servers 192.168.xxx.yyy;
option netbios-node-type 8;


key DHCP_UPDATER {
     algorithm hmac-md5;
     secret xxxxxxxxxxxxxxxxxxxxxxx;
};

zone xxxxx.local. {
         primary 127.0.0.1;
         key DHCP_UPDATER;
}

zone xxx.168.192.in-addr.arpa. {
         primary 127.0.0.1;
         key DHCP_UPDATER;
}


subnet 192.168.xxx.0 netmask 255.255.255.0 {
         range 192.168.xxx.100 192.168.xxx.200;
         default-lease-time 10368000;
         max-lease-time 10368000;
         option subnet-mask 255.255.255.0;
         option broadcast-address 192.168.xxx.255;
         option routers 192.168.xxx.yyy;
         option domain-name-servers 192.168.xxx.yyy;
         option domain-name "xxxxxx.local";
         option time-offset 39600;
         option ip-forwarding off;
         option netbios-node-type 1;

         # numerous fix IP removed for brevity

}


subnet  aaa.bbb.ccc.ddd netmask 255.255.255.252 {}



_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Loading...