selinux interfering with dynamic dns
Daniel J Walsh
dwalsh at redhat.com
Mon Mar 3 14:37:58 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Edward Kuns wrote:
> I have dhcp + named set up to cooperate, but selinux (understandably)
> denies named write access to the files it needs to modify for dynamic
> dns updates. I have created the following policy. Is there a better
> way of doing this? Best would be if there was a way to allow write
> access *only* to those handful of files in /var/named/chroot/var/named
> that are truly dynamic, perhaps by labeling. Would it be possible or
> reasonable to add named_dynamic_zone_t or some equivalent? Is there a
> better way to solve this problem or am I missing some already-available
> mechanism?
>
> Thanks
>
> Eddie
>
>
> module mybind 1.0;
>
> require {
> type named_t;
> type named_zone_t;
> class file write;
> }
>
> #============= named_t ==============
> allow named_t named_zone_t:file write;
>
There is currently a boolean to allow this.
getsebool named_write_master_zones
man named_selinux
will give further explanation.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkfMDUUACgkQrlYvE4MpobOAwACffe9PMezUzaeK9I8hhuZMsT8F
FiUAn2Ymv35JgeTct8MyLwkxvuRGJmJH
=K4Cb
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list