RE: Selinux and named

["Erik LaBianca" <erik totalcirculation com>]

> -----Original Message-----
> From: fedora-devel-list-bounces redhat com [mailto:fedora-devel-list-
> bounces redhat com] On Behalf Of Ivan Gyurdiev
> Sent: Monday, March 29, 2004 6:35 PM
> To: fedora-devel-list redhat com
> Subject: Selinux and named
> 
> Named complains: capset failed whether in enforcing mode or not.
> 
> Online documentation suggests ./configure --disable-linux-caps,
> but I'd like to keep my bind rpm.
> 
> What could be the problem?
> 

Bind automatically tries to escalate its priority, and something
(selinux?) is denying it. I'd like to suggest that the officially
distributed bind be built with --disable-linux-caps. Programs should not
automatically attempt to escalate themselves IMHO. If the process
priority needs to be changed, it should be done in the init script.

This change would also allow fedora's bind to work under a vserver
without modifications, which would certainly make a few of us happy.

You could probably fix this problem by changing the selinux policy, but
I can't help you much there. With vserver, you would need to allow
CAP_SYS_RESOURCE, and I'm guessing the solution under selinux would be
close to that.

--erik