[SOLVED] Bind Failed to Start -- Need Help to setup Simple Dns Config

[SILLAT_JAM]

I'm not totally new to linux but this is my 1st time trying to setup a Local Mail Sever.
I'm trying to setup simple DNS [no chroot] on a Test MailServer running Centos 5.5 minimal install Selinux Enabled
I installed bind [yum install bind caching-nameserver] created my zone files from some sample dns files i got from class but dns failed to start each time

When i run /etc/init.d/named start or service named restart I get :
Error in named configuration
None:o: open: /etc/named/conf : permission denied

when i run named -g i get:
couldn't open pid file /var/run/named/named.pid permission denied
named failed to start

This is what i see in /var/log/messages

Jul 13 12:03:10 mailserver2 named[7949]: starting BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 -u named
Jul 13 12:03:10 mailserver2 named[7949]: adjusted limit on open files from 1024 to 1048576
Jul 13 12:03:10 mailserver2 named[7949]: found 1 CPU, using 1 worker thread
Jul 13 12:03:10 mailserver2 named[7949]: using up to 4096 sockets
Jul 13 12:03:10 mailserver2 named[7949]: loading configuration from '/etc/named.conf'
Jul 13 12:03:10 mailserver2 named[7949]: using default UDP/IPv4 port range: [1024, 65535]
Jul 13 12:03:10 mailserver2 named[7949]: using default UDP/IPv6 port range: [1024, 65535]
Jul 13 12:03:10 mailserver2 named[7949]: listening on IPv4 interface lo, 127.0.0.1#53
Jul 13 12:03:10 mailserver2 named[7949]: listening on IPv4 interface eth0, 192.168.2.63#53
Jul 13 12:03:10 mailserver2 named[7949]: /etc/named.conf:13: using specific query-source port suppresses port randomization and can be insecure.
Jul 13 12:03:10 mailserver2 named[7949]: command channel listening on 127.0.0.1#953
Jul 13 12:03:10 mailserver2 named[7949]: command channel listening on ::1#953
Jul 13 12:03:10 mailserver2 named[7949]: zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700
Jul 13 12:03:10 mailserver2 named[7949]: zone 2.168.192.in-addr.arpa/IN: loaded serial 1997022700
Jul 13 12:03:10 mailserver2 named[7949]: zone testcompany.local/IN: loaded serial 1997022700
Jul 13 12:03:10 mailserver2 named[7949]: running
Jul 13 12:04:27 mailserver2 named[7949]: shutting down
Jul 13 12:04:27 mailserver2 named[7949]: stopping command channel on 127.0.0.1#953
Jul 13 12:04:27 mailserver2 named[7949]: stopping command channel on ::1#953
Jul 13 12:04:27 mailserver2 named[7949]: no longer listening on 127.0.0.1#53
Jul 13 12:04:27 mailserver2 named[7949]: no longer listening on 192.168.2.63#53
Jul 13 12:04:27 mailserver2 named[7949]: exiting
Jul 13 12:04:51 mailserver2 named: none:0: open: /etc/named.conf: permission denied

Can someone help me troubleshoot this problem, whether it be my File Permissions or my named.conf
Any Help will be appreciated
Thanks in advance

[pschaff]

I'm guessing you also changed /etc/named/conf. How about showing us[code]
ls -lF /etc/named* /var/run/
rpm -V caching-nameserver
[/code]

[SILLAT_JAM]

When i run ls -lF /etc/named* /var/run/
This is the output
[code]
[root@mailserver2 user]# ls -lF /etc/named* /var/run/
-rw-r----- 1 root named 1230 Jan 20 11:33 /etc/named.caching-nameserver.conf
-rw-rw-r-- 1 root named 1049 Jul 12 17:39 /etc/named.conf
-rwxr-xr-x 1 root named 1041 Jul 9 13:48 /etc/named.conf.bak*
-rw-r----- 1 root named 955 Jan 20 11:33 /etc/named.rfc1912.zones

/var/run/:
total 364
srw-rw-rw- 1 root root 0 Jul 12 08:33 acpid.socket=
-rw-r--r-- 1 root root 5 Jul 12 08:33 atd.pid
srw-r----- 1 root root 0 Jul 12 08:33 audispd_events=
-rw-r--r-- 1 root root 5 Jul 12 08:33 auditd.pid
prw------- 1 root root 0 Jul 12 08:33 autofs.fifo-misc|
prw------- 1 root root 0 Jul 12 08:33 autofs.fifo-net|
drwxr-xr-x 2 avahi avahi 4096 Jul 12 08:33 avahi-daemon/
drwxr-xr-x 2 root root 4096 Jul 9 12:48 console/
-rw-r--r-- 1 root root 5 Jul 12 08:33 crond.pid
drwxr-xr-x 3 root lp 4096 Jul 12 08:33 cups/
-rw-r--r-- 1 root root 5 Jul 12 08:33 cupsd.pid
drwxr-xr-x 2 root root 4096 Jul 12 08:33 dbus/
-rw-r--r-- 1 root root 5 Jul 13 08:41 dhclient-eth0.pid
-rw-r--r-- 1 root root 5 Jul 12 08:33 gpm.pid
-rw-r--r-- 1 root root 5 Jul 12 08:33 haldaemon.pid
-rw------- 1 root root 5 Jul 12 08:33 klogd.pid
drwx------ 2 root root 4096 Jan 26 18:48 mdadm/
drwx------ 2 root root 4096 Jan 26 18:48 mdmpd/
-rw-r--r-- 1 root root 5 Jul 12 08:33 messagebus.pid
drwxrwx--- 2 named named 4096 Jul 13 12:03 named/
drwxrwxr-x 2 root root 4096 Sep 28 2009 netreport/
drwxr-xr-x 2 root root 4096 Mar 31 06:40 NetworkManager/
drwxr-xr-x 2 root root 4096 Jun 7 21:35 nscd/
srwxrwxrwx 1 root root 0 Jul 12 08:33 pcscd.comm=
-rw-r--r-- 1 root root 4 Jul 12 08:33 pcscd.pid
-rw-r--r-- 1 root root 65537 Jul 12 08:33 pcscd.pub
drwxr-xr-x 2 root root 4096 Jan 22 2009 pm/
drwxr-xr-x 2 root root 4096 Jan 20 2009 ppp/
-rw-r--r-- 1 root root 5 Jul 12 08:33 restorecond.pid
-rw-r--r-- 1 root root 5 Jul 12 08:33 rpc.statd.pid
drwxr-xr-x 2 root root 4096 Mar 17 08:14 saslauthd/
-rw------- 1 root smmsp 33 Jul 12 08:33 sendmail.pid
drwxr-xr-x 2 root root 4096 Jul 12 08:32 setrans/
-rw-r--r-- 1 smmsp smmsp 49 Jul 12 08:33 sm-client.pid
-rw-r--r-- 1 root root 5 Jul 12 08:33 sshd.pid
drwx------ 2 root root 4096 Jun 16 04:44 sudo/
-rw------- 1 root root 5 Jul 12 08:33 syslogd.pid
-rw-rw-r-- 1 root utmp 5376 Jul 13 16:56 utmp
drwxr-xr-x 2 root root 4096 Mar 30 23:59 wpa_supplicant/
[/code]
when i Run rpm -V caching-nameserver it comes back blank

I Hope the output of the 1st command give an idea of whats wrong
[Moderator edit: Added [i]code[/i] tags to preserve formatting.]

[jaylakes]

This may be a red herring, but can you show us the output of:
cat /etc/sysconfig/named


The permissions seem like they shouldn't be a problem, provided that there's no odd configs in that file.
But in the chrooted bind package, that file contains the rootdir setting. it may be that the permission errors you're getting are based on the chroot dir and not actual root.
That can produce some confusing behavior.

[SILLAT_JAM]

[quote]
jaylakes wrote:
This may be a red herring, but can you show us the output of:
cat /etc/sysconfig/named


The permissions seem like they shouldn't be a problem, provided that there's no odd configs in that file.
But in the chrooted bind package, that file contains the rootdir setting. it may be that the permission errors you're getting are based on the chroot dir and not actual root.
That can produce some confusing behavior.[/quote]

Most Definately its confusing, this morning i was troubleshooting again why i'm still having issues starting my dns (named) and i notice
when i temporarily turn off selinux [ echo 0 > /selinux/enforce ] my DNS (named) starts jus fine no issues
But as soon as i turn it back on [ echo 1 > /selinux/enforce ] i cant seem to start Dns (named) i keep getting "Fail to start or permission denied"
I think selinux is the culprit but i dont know how to get around it because i dont want to disable selinux ( heard its safer with selinux on)
Really confused now

this is the output of cat /etc/sysconfig/named

[root@mailserver2 user]# cat /etc/sysconfig/named
# BIND named process options
# ~~~~~~~~~~~~~~~~~~~~~~~~~~
# Currently, you can use the following options:
#
# ROOTDIR="/some/where" -- will run named in a chroot environment.
# you must set up the chroot environment
# (install the bind-chroot package) before
# doing this.
#
# OPTIONS="whatever" -- These additional options will be passed to named
# at startup. Don't add -t here, use ROOTDIR instead.
#
# ENABLE_ZONE_WRITE=yes -- If SELinux is disabled, then allow named to write
# its zone files and create files in its $ROOTDIR/var/named
# directory, necessary for DDNS and slave zone transfers.
# Slave zones should reside in the $ROOTDIR/var/named/slaves
# directory, in which case you would not need to enable zone
# writes. If SELinux is enabled, you must use only the
# 'named_write_master_zones' variable to enable zone writes.
#
# ENABLE_SDB=yes -- This enables use of 'named_sdb', which has support
# -- for the ldap, pgsql and dir zone database backends
# -- compiled in, to be used instead of named.
#
# DISABLE_NAMED_DBUS=[1y]-- If NetworkManager is enabled in any runlevel, then
# the initscript will by default enable named's D-BUS
# support with the named -D option. This setting disables
# this behavior.
#
# KEYTAB_FILE="/dir/file" -- Specify named service keytab file (for GSS-TSIG)

This is a copy of my /var/log/messages with selinux turned off temporarily [ echo 0 > /selinux/enforce ] then i start my dns (named)

Jul 14 07:39:59 mailserver2 named[4554]: starting BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 -u named
Jul 14 07:39:59 mailserver2 named[4554]: adjusted limit on open files from 1024 to 1048576
Jul 14 07:39:59 mailserver2 named[4554]: found 1 CPU, using 1 worker thread
Jul 14 07:39:59 mailserver2 named[4554]: using up to 4096 sockets
Jul 14 07:39:59 mailserver2 named[4554]: loading configuration from '/etc/named.conf'
Jul 14 07:39:59 mailserver2 named[4554]: using default UDP/IPv4 port range: [1024, 65535]
Jul 14 07:39:59 mailserver2 named[4554]: using default UDP/IPv6 port range: [1024, 65535]
Jul 14 07:39:59 mailserver2 named[4554]: listening on IPv4 interface lo, 127.0.0.1#53
Jul 14 07:39:59 mailserver2 named[4554]: listening on IPv4 interface eth0, 192.168.2.63#53
Jul 14 07:39:59 mailserver2 named[4554]: /etc/named.conf:13: using specific query-source port suppresses port randomization and can be insecure.
Jul 14 07:39:59 mailserver2 named[4554]: command channel listening on 127.0.0.1#953
Jul 14 07:39:59 mailserver2 named[4554]: command channel listening on ::1#953
Jul 14 07:39:59 mailserver2 named[4554]: command channel listening on ::1#953
Jul 14 07:39:59 mailserver2 named[4554]: zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700
Jul 14 07:39:59 mailserver2 named[4554]: zone 2.168.192.in-addr.arpa/IN: loaded serial 1997022700
Jul 14 07:39:59 mailserver2 named[4554]: zone testcompany.local/IN: loaded serial 1997022700
Jul 14 07:39:59 mailserver2 named[4554]: running

This is a copy of my /var/log/messages with selinux turned back on [ echo 1 > /selinux/enforce ] after which i restated named

Jul 14 07:42:09 mailserver2 named[4554]: shutting down: flushing changes
Jul 14 07:42:09 mailserver2 named[4554]: stopping command channel on 127.0.0.1#953
Jul 14 07:42:09 mailserver2 named[4554]: stopping command channel on ::1#953
Jul 14 07:42:09 mailserver2 named[4554]: no longer listening on 127.0.0.1#53
Jul 14 07:42:09 mailserver2 named[4554]: exiting
Jul 14 07:42:11 mailserver2 named: none:0: open: /etc/named.conf: permission denied
Jul 14 07:57:19 mailserver2 named: none:0: open: /etc/named.conf: permission denied

Any selinux or permissions help will be highly appreciated
thanks in advance

[TrevorH]

Show us the output from

[code]
ls -laZ /etc/named.conf /var/named/chroot/etc/named.conf
[/code]

[SILLAT_JAM]

[quote]
TrevorH wrote:
Show us the output from

[code]
ls -laZ /etc/named.conf /var/named/chroot/etc/named.conf
[/code][/quote]

Here is the Output

[root@mailserver2 user]# ls -laZ /etc/named.conf /var/named/chroot/etc/named.conf
ls: /var/named/chroot/etc/named.conf: No such file or directory
-rw-rw-r-- root named system_u:object_r:dosfs_t /etc/named.conf

[TrevorH]

Yes, your file is mislabeled. It should look more like this

[code]
-r-------- named named system_u:object_r:named_conf_t:s0 /etc/named.conf
[/code]

You could try just resetting the selinux context for that one file by running

[code]
restorecon /etc/named.conf
[/code]

which will reset just that one file to the default context. However, it's more likely that this is just a symptom of a wider problem so you might be better off relabeling the entire file system by doing this

[code]
touch /.autorelabel
reboot
[/code]

[SILLAT_JAM]

[quote]
TrevorH wrote:
Yes, your file is mislabeled. It should look more like this

[code]
-r-------- named named system_u:object_r:named_conf_t:s0 /etc/named.conf
[/code]

You could try just resetting the selinux context for that one file by running

[code]
restorecon /etc/named.conf
[/code]

which will reset just that one file to the default context. However, it's more likely that this is just a symptom of a wider problem so you might be better off relabeling the entire file system by doing this

[code]
touch /.autorelabel
reboot
[/code][/quote]

Hey TrevorH; thanks for pointing out the selinux issue and how to autorelabel the entire system
I'm not in office at present but as soon as i get back in office [ tomorrow morning ]i will relabel the entire system and post back if i am successful
Thanks again

[SILLAT_JAM]

Happy to Report back that Resetting Selinux and relabeling the entire system fixed my Dns Issue ......

touch /.autorelabel
reboot

Problem Solved !!
Thanks a Million TrevorH :lol:

Ps
How do i mark this thread as solved ??