Re: Confused about SELinux error

Petr Mensik Mon, 14 Aug 2017 06:27:07 -0700

Hi Todd,

that means you are trying to save session.key into directory where SELinux is 
forbidding write access to named.
Session.key is file created once per start and removed before shutdown. I think 
you have something wrong with link /var/run/named -> /run/named link.
Default built-in value is /var/run/named/session.key. Default Fedora 
configuration uses /run/named/session.key. Both paths should work without 
difference.


Correct selinux type for files in /run/named is named_var_run_t. I think you 
should run instead:
$ restorecon -rv /run/named /var/run/named 

Then restart named service. Context of a new file should be already correct.

Do you have this option in you configuration file? What is its value?
# options { ...
session-keyfile "/run/named/session.key";

It would be helpful if you include you configuration in readable form, please.

Listed types are more likely types named is allowed to touch. I admit SELinux 
errors are often confusing. What you written here are hints to you how to solve 
the error, not the error itself.
More helpful errors would be printed by:
$ ausearch -i -ts today -m avc -m user_avc -m selinux_err

Regards,
Petr
--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: [email protected]  PGP: 65C6C973

----- Original Message -----
From: "ToddAndMargo" <[email protected]>
To: [email protected]
Sent: Friday, August 11, 2017 10:39:11 PM
Subject: Confused about SELinux error

Hi All,

What does this SELinux error mean when I start bin-chroot?

      # semanage fcontext -a -t FILE_TYPE 'session.key'

      where FILE_TYPE is one of the following: dnssec_trigger_var_run_t,
      ipa_var_lib_t, krb5_host_rcache_t, krb5_keytab_t, named_cache_t,
      named_log_t, named_tmp_t, named_var_run_t.

     # semanage fcontext -a -t named_var_run_t 'session.key'
     # restorecon -v 'session.key'


How am I suppose to know what "FILE_TYPE" they are talking about?

-T


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users

Re: Confused about SELinux error

Reply via email to