Skip to main content

DNS Custom Logs and selinux

If you google "named custom logs selinux" you will find quite a bit of chatter about setting up custom logs outside of /var/log for DNS (named). These posts are interesting, but they tend to be run on posts about learning selinux and becoming an expert on named.

What you need to know? If you have setup custom logging locations in your /etc/named.conf file, such as:

    channel default_file {
        file "/var/log/named/default.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };

Then you will likely see errors like this in /var/log/messages:

Oct 26 11:41:13 namedsvr setroubleshoot: SELinux is preventing /usr/sbin/named from write access on the directory /var/named/chroot/var/log/named. For complete SELinux messages. run sealert -l 6eab4aaf-e615-4ade-9e88-4efdc789eaf2

Then you run the sealert command as suggested by the very friendly selinux audit log and you are told:

#============= named_t ==============
#!!!! The source type 'named_t' can write to a 'dir' of the following types:
# tmp_t, named_cache_t, var_log_t, var_run_t, named_var_run_t, named_log_t, named_tmp_t, cluster_var_lib_t, cluster_var_run_t, root_t, cluster_conf_t

This is important information because your custom log locations are not labeled correctly, as in:

[root@namedsvr log]# ls -Z /var/named/chroot/var/log
drwxr-xr-x. named named unconfined_u:object_r:named_conf_t:s0 named

This named_conf_t type is very critical here. What you want to do now is change this type to be named_log_t:

chcon -t named_log_t /var/named/chroot/var/log/named

Restart named and error messages should go away.

Where did this named_conf_t type come from?

> more /etc/selinux/targeted/contexts/files/file_contexts

Run that more command see look at all of those labels. You want to find the named "chroot" labels and eventually work your way down to the /var/named/chroot/var/log paths. Then you want to add your own rule for the var/log/named path so that it sets the proper type to named_log_t. That way this change will survive reboot and restorecon, which is also very important.

A good place to start learning selinux:


Popular posts from this blog

The Spinning Brain

Intuition is a phenomenon of the biological brain that doesn't have any physical explanation. Many people experience intuition with varying degrees of success. There are a variety of theories regarding intuition [1] and some people regard intuition with much caution [2] . Yet, I am happily in the camp that has learned to respect my intuition as it has proven time and time again to be correct. Recently, though, I'd been thinking about intuition and soothsaying . There are many cases of people who claim to see the future, whatever that might be. Maybe there is something to be said about this mystical phenomenon. Maybe there is a real physical process at work that we just haven't thought of yet. To this end, I am proposing a theory about human intuition. This theory, though requires some background in quantum mechanics . Specifically, quantum entanglement . I'm not the only person who has theorized about quantum entanglement and its role in biological congnition and th...
Read more

Stock Option Debt Income

The 2024 Presidential election has brought out a topic of interest that seems to have been perverted. There is this "Taxing Unrealized Capital Gains" [1] movement that is being falsely attributed to Vice President Harris. Clearly, this is a change in the revenue code that was designed by someone in office long before VP Harris was in office. My money is on Elizabeth Warren and Bernie Sanders. What is this change in the revenue code though? For that you have to understand what Silicon Valley zillionaires are doing with their stock options. Many of these people in this special economic area have huge discounts on stock prices for companies that are not public yet, or are public and can not be sold [2]. To be fair to these holders of equity, banks allow them to finance debt using leverage against those options. If you hold an option that is worth $5M then a bank might lend you a share of that value, thus realizing a debt against the option [3]. This is a fair debt instrument and...
Read more

UNTITLED

I like people who can talk straight and take it standing. There's not enough straight talkers in the world, and certainly not enough in the USA. It seems as though our opinions are illegal if they are not in-line with the normative line of acceptance. That truly seems Orwellian to me. That said, though, this blog is more about race and ignorance than about the Thought Police. There does not exist a more sensitive and inflammatory topic than race . You should read the Wikipedia entry on race as it pertains to humans. It may enlighten you somewhat. The USA has two presidential candidates in its 2008 Presidential race. One of them is sort of a pinkish-white color, and the other is something of a brown color. The pinkish-white one has an American heritage with clear ancestry back to Northern Europeans. The brownish colored one has an Indonesian heritage with some suspected ancestry back to Africa, although he also has European ancestry. Call them whatever race you want. Where I have ...
Read more