Skip to main content

DNS Custom Logs and selinux

If you google "named custom logs selinux" you will find quite a bit of chatter about setting up custom logs outside of /var/log for DNS (named). These posts are interesting, but they tend to be run on posts about learning selinux and becoming an expert on named.

What you need to know? If you have setup custom logging locations in your /etc/named.conf file, such as:

    channel default_file {
        file "/var/log/named/default.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };

Then you will likely see errors like this in /var/log/messages:

Oct 26 11:41:13 namedsvr setroubleshoot: SELinux is preventing /usr/sbin/named from write access on the directory /var/named/chroot/var/log/named. For complete SELinux messages. run sealert -l 6eab4aaf-e615-4ade-9e88-4efdc789eaf2

Then you run the sealert command as suggested by the very friendly selinux audit log and you are told:

#============= named_t ==============
#!!!! The source type 'named_t' can write to a 'dir' of the following types:
# tmp_t, named_cache_t, var_log_t, var_run_t, named_var_run_t, named_log_t, named_tmp_t, cluster_var_lib_t, cluster_var_run_t, root_t, cluster_conf_t

This is important information because your custom log locations are not labeled correctly, as in:

[root@namedsvr log]# ls -Z /var/named/chroot/var/log
drwxr-xr-x. named named unconfined_u:object_r:named_conf_t:s0 named

This named_conf_t type is very critical here. What you want to do now is change this type to be named_log_t:

chcon -t named_log_t /var/named/chroot/var/log/named

Restart named and error messages should go away.

Where did this named_conf_t type come from?

> more /etc/selinux/targeted/contexts/files/file_contexts

Run that more command see look at all of those labels. You want to find the named "chroot" labels and eventually work your way down to the /var/named/chroot/var/log paths. Then you want to add your own rule for the var/log/named path so that it sets the proper type to named_log_t. That way this change will survive reboot and restorecon, which is also very important.

A good place to start learning selinux:


Popular posts from this blog

Clustered Foolishness

I had morning coffee with a well respected friend of mine recently. Aside from chatting about the usual wifery and family, we touched on the subject of clustered indices and SQL Server performance. A common misconception in the software industry is that a clustered index will make your database queries faster. In fact, most cases will demonstrate the polar opposite of this assumption. The reason for this misconception is a misunderstanding of how the clustered index works in any database server. A clustered index is a node clustering of records that share a common index value. When you decide on an index strategy for your data, you must consider the range of data to be indexed. Remember back to your data structures classes and what you were taught about hashtable optimizations. A hashtable, which is another way of saying a database index, is just a table of N values that organizes a set of M records in quickly accessible lists that are of order L, where L is significantly less than M. ...
Read more

Deadly Information

Remember back to 2006 when a young girl killed herself [1] , [4] after being tricked and harassed by a faux boy she found on the Web using MySpace. The trial against the faux boy, an adult woman (Lori Drew), did not result in prosecution for the death of Megan, much to the dismay of many.  Yet, today we read about another trial where someone is being accused of second degree murder because they may have mentioned something slanderous about another person who was later killed by a hit man [2] . In this case, though, the person on trial is a former FBI agent who was working deep cover to infiltrate organized crime. In both cases, someone released information to third parties that resulted in the death of another person.  Neither defendant in either of these cases actually committed the act of murder, though. In the case of the FBI agent, though, the murder charge is being taken seriously. Yet, in the MySpace slander case, the murder charge was not taken seriously. How are t...
Read more

Faster Climate Change

CNN reports that a WWF study has found that global climate change is happening faster than predicted in 2007 and that there will not be any arctic ice by 2013, or 2040. [1] Then it goes on to say that global sea level will increase by 1.08 meters by the end of the century, which is 2100, 92 years from now. Quite honestly, nobody really cares what is going to happen to the planet in 98 years. Why? Because in 98 years we (as humans) will either: (1) Obliterate ourselves because God told us to do it. (2) Eat eachother because there will no longer be any land available to grow crops and sustain living quarters for our 50 billion people. (3) Suffocate because our planet will no longer smell nice thanks to 50 billion people producing lots of solid waste in our oceans. (4) Leave the planet because there will no longer be enough fresh water to sustain our lives. Wait a minute. Consider (4) for a moment. Where can we get an abundance of fresh water TODAY? Anyone? Yeah, the arctic! It's goin...
Read more