FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 07-10-2008, 11:22 PM
"Meenoo Shivdasani"
 
Default bind9, SELinux, ServFail

I just set up a CentOS 5.2 system with bind9 (9.3.4-6.0.1.P1.el5) and
I'm running up against a problem that seems to be related to SELinux.
If I set named_disable_trans to 1, everything works as expected, but
if I leave it enabled the server will only give me data for the zones
for which it is authoritative. For external sites it returns a
ServFail error. This is with nslookup and dig.

If I start named from the command line with the command "named -u
named", the server returns the expected response.

tcpdump shows that the server is querying itself and getting a
ServFail response.

I figure that I'm missing something really basic, but not sure what.

Debug logs show this:

FAIL:

clientmgr @0x2b491728c1d0: createclients
clientmgr @0x2b491728c1d0: recycle
.
.
.
fctx 0x2b49173153e0(www.google.com/A'): shutdown
client 192.168.213.111#33096: view internal: error

Succeed:

clientmgr @0x2b109771bd30: createclients
clientmgr @0x2b109771bd30: create new
.
.
.
res 0x2b109778cae0: dns_resolver_prime
res 0x2b109778cae0: priming
createfetch: . NS
fctx 0x2b109781e280(./NS'): create
fctx 0x2b109781e280(./NS'): join
fetch 0x2b109781e260 (fctx 0x2b109781e280(./NS)): created
dns_adb_createfind: found A for name 0x2b109780fa70 in db
fctx 0x2b109781e280(./NS'): start
res 0x2b109778cae0: dns_resolver_prime
fctx 0x2b109781e280(./NS'): try
fctx 0x2b109781e280(./NS'): cancelqueries
fctx 0x2b109781e280(./NS'): getaddresses
dns_adb_createfind: found AAAA for name 0x2b109780fa70
.
.
.

Any ideas?
Thanks in advance,

M
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-11-2008, 01:22 AM
"Filipe Brandenburger"
 
Default bind9, SELinux, ServFail

On Thu, Jul 10, 2008 at 7:22 PM, Meenoo Shivdasani <meenoo@gmail.com> wrote:
> I'm running up against a problem that seems to be related to SELinux.
> Any ideas?

If it's SELinux related, have a look at /var/log/audit/audit.log, that
will tell you what is being blocked in SELinux. That would be a good
start. Let us know what you found there, then we might be able to help
you a little more.

HTH,
Filipe
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-11-2008, 01:41 AM
"Meenoo Shivdasani"
 
Default bind9, SELinux, ServFail

> If it's SELinux related, have a look at /var/log/audit/audit.log, that
> will tell you what is being blocked in SELinux. That would be a good
> start. Let us know what you found there, then we might be able to help
> you a little more.

That's a huge help -- didn't occur to me to look in audit.log -- that
said, I'm not entirely sure what SELinux is doing here (other than
denying the connection). Or, to be more accurate, I don't understand
why it's denying the connection, therefore don't know how to make it
behave...

type=AVC msg=audit(1215740151.446:796): avc: denied { name_bind }
for pid=21081 comm="named" src=16660
scontext=root:system_r:named_t:s0 tcontext=system_ubject_rort_t:s0
tclass=udp_socket

type=SYSCALL msg=audit(1215740151.446:796): arch=c000003e syscall=49
success=no exit=-13 a0=1f a1=43c8ed40 a2=1c a3=43c8eb3c items=0 ppid=1
pid=21081 auid=0 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25
sgid=25 fsgid=25 tty=(none) ses=60 comm="named" exe="/usr/sbin/named"
subj=root:system_r:named_t:s0 key=(null)

Ideas & thoughts welcome...
Thanks,

M
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-11-2008, 02:34 AM
"Filipe Brandenburger"
 
Default bind9, SELinux, ServFail

On Thu, Jul 10, 2008 at 9:41 PM, Meenoo Shivdasani <meenoo@gmail.com> wrote:
> type=AVC msg=audit(1215740151.446:796): avc: denied { name_bind }
> for pid=21081 comm="named" src=16660
> scontext=root:system_r:named_t:s0 tcontext=system_ubject_rort_t:s0
> tclass=udp_socket

SELinux is preventing BIND to open port UDP/16660. Did you configure
BIND to use that specific non-standard port?

Filipe
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-11-2008, 02:36 AM
"Meenoo Shivdasani"
 
Default bind9, SELinux, ServFail

> SELinux is preventing BIND to open port UDP/16660. Did you configure
> BIND to use that specific non-standard port?

I installed the latest version of BIND which randomizes the source
port...do you think that's the problem? If so, how do I get SELinux
to accept it?

M
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-11-2008, 02:39 AM
"Meenoo Shivdasani"
 
Default bind9, SELinux, ServFail

On 7/10/08, Meenoo Shivdasani <meenoo@gmail.com> wrote:
> > SELinux is preventing BIND to open port UDP/16660. Did you configure
> > BIND to use that specific non-standard port?
>
>
> I installed the latest version of BIND which randomizes the source
> port...do you think that's the problem? If so, how do I get SELinux
> to accept it?

To be more accurate, I installed the patched version of BIND which
randomizes the source port to address the latest DNS vulnerability.

M
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-11-2008, 02:44 AM
"Filipe Brandenburger"
 
Default bind9, SELinux, ServFail

On Thu, Jul 10, 2008 at 10:39 PM, Meenoo Shivdasani <meenoo@gmail.com> wrote:
> To be more accurate, I installed the patched version of BIND which
> randomizes the source port to address the latest DNS vulnerability.

Did you update the "selinux-policy" package at the same time?

On my system I have bind-9.3.4-6.0.1.P1.el5_2 and
selinux-policy-2.4.6-137.1.el5, both of them were signed at
approximately the same time, and were installed at approximately the
same time on my system, which tells me they most probably came from
the same update (it's easy to confirm that by looking at the
centos-announce mails).

Also:

$ rpm -q --changelog selinux-policy
* Tue Apr 29 2008 Dan Walsh <dwalsh@redhat.com> 2.4.6-137.1
- Allow named to bind to any udp port
Resolves: #451971
...

Well, I'm almost positive that is what you are missing.

HTH,
Filipe
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-11-2008, 02:50 AM
"Meenoo Shivdasani"
 
Default bind9, SELinux, ServFail

On 7/10/08, Filipe Brandenburger <filbranden@gmail.com> wrote:

> Did you update the "selinux-policy" package at the same time?

> Well, I'm almost positive that is what you are missing.

Filipe,

You nailed it. That was what I was missing.

Many thanks,

M
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 07:17 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org