Issues setting up a 2nd Private DNS server

Daniel B. Thurman dant at cdkkt.com
Mon Jun 2 20:21:05 UTC 2008


Daniel J Walsh wrote:
>
> Daniel B. Thurman wrote:
> >
> > I am trying to setup a 2nd private DNS server in my private
> > network, behind the firewall (with DNS access enabled) and
> > I am able to resolve all of my local systems.  However, I have
> > some problems. One involves SELinux and the other involved
> > forwarding as shown below:
> >
> > 1) SELinux errors are reported only when starting/stopping/restarting
> >    named.
> > ++++++++++++++++++++++++++++++++++++++++++++++
> >[snipped!]
> > host=gold.cdkkt.com type=AVC msg=audit(1212426103.808:4122): avc:
> > denied  { read write } for  pid=7037 comm="named" path="socket:[874313]"
> > dev=sockfs ino=874313 scontext=system_u:system_r:named_t:s0
> > tcontext=system_u:system_r:unconfined_t:s0 tclass=unix_stream_socket
> >
> > host=gold.cdkkt.com type=SYSCALL msg=audit(1212426103.808:4122):
> > arch=40000003 syscall=11 success=yes exit=0 a0=9b05a68 a1=9b05e38
> > a2=9b04fe0 a3=0 items=0 ppid=7036 pid=7037 auid=500 uid=0 gid=0 euid=0
> > suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="named"
> > exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null)
> > ++++++++++++++++++++++++++++++++++++++++++++++
> > [snipped!]       
> > host=gold.cdkkt.com type=AVC msg=audit(1212426103.905:4123): avc:
> > denied  { read write } for  pid=7064 comm="rndc" path="socket:[874313]"
> > dev=sockfs ino=874313 scontext=system_u:system_r:ndc_t:s0
> > tcontext=system_u:system_r:unconfined_t:s0 tclass=unix_stream_socket
> >
> > host=gold.cdkkt.com type=SYSCALL msg=audit(1212426103.905:4123):
> > arch=40000003 syscall=11 success=yes exit=0 a0=90000d0 a1=9000078
> > a2=8fe12e0 a3=0 items=0 ppid=7055 pid=7064 auid=500 uid=0 gid=0 euid=0
> > suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="rndc"
> > exe="/usr/sbin/rndc" subj=system_u:system_r:ndc_t:s0 key=(null)
> > ++++++++++++++++++++++++++++++++++++++++++++++
> > [snipped!]
> > host=gold.cdkkt.com type=AVC msg=audit(1212426103.790:4120): avc:
> > denied  { read write } for  pid=7034 comm="mount" path="socket:[874313]"
> > dev=sockfs ino=874313 scontext=system_u:system_r:mount_t:s0
> > tcontext=system_u:system_r:unconfined_t:s0 tclass=unix_stream_socket
> >
> > host=gold.cdkkt.com type=SYSCALL msg=audit(1212426103.790:4120):
> > arch=40000003 syscall=11 success=yes exit=0 a0=870e610 a1=86e8fa8
> > a2=86eb2e0 a3=0 items=0 ppid=7014 pid=7034 auid=500 uid=0 gid=0 euid=0
> > suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="mount"
> > exe="/bin/mount" subj=system_u:system_r:mount_t:s0 key=(null)
> > ++++++++++++++++++++++++++++++++++++++++++++++
> >
> > 2) Forwarders do not work:
> > ++++++++++++++++++++++++++++++++++++++++++++++
> > ** server can't find msn.com: NXDOMAIN
> > ++++++++++++++++++++++++++++++++++++++++++++++
> >
> > Please advise,
> > Dan
> >
> This looks like either a leaked file descriptor, which can be
> ingored/dontaudited
>
> Or it could be a redirection of the terminal to a unix_stream_socket.
>
Huh?  I am not sure what you are saying nor am I sure
what to in fixing these selinux avc errors.

As for DNS forwarding, selinux does not seem to have
anything to do with preventing forwarding AFAIK, I
tested by setting 'setenforce 0', then using nslookup
on 'msn.com.'  - it still fails.

I wonder how to debug the named to see why forwarding
fails...  can anyone help?

Thanks-
Dan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20080602/c54c2379/attachment-0001.htm>


More information about the fedora-list mailing list