[SOLVED] named error: permission denied

Issues related to configuring your network
Post Reply
smacz
Posts: 6
Joined: 2015/06/30 01:16:24

[SOLVED] named error: permission denied

Post by smacz » 2015/07/15 06:46:42

So before I started the named service, I ran the named-check tests to make sure everything was working:

Code: Select all

# named-checkconfig -z /etc/named.conf

zone home.virtnet/IN: loaded serial 20150715
zone 10.10.10.in-addr.arpa/IN: loaded serial 20150715
zone localhost.localdomain/IN: loaded serial 0
zone localhost/IN: loaded serial 0
zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
zone 0.in-addr.arpa/IN: loaded serial 0


# named-checkzone home.virtnet /var/named/forward.virtnet

zone home.virtnet/IN: loaded serial 20150715
OK


# named-checkzone home.virtnet /var/named/reverse.virtnet

zone home.virtnet/IN: loaded serial 20150715
OK
But when I go to start it, it fails. The relevant output:

Code: Select all

# systemctl status named

named.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named.service; disabled)
   Active: failed (Result: exit-code) since Wed 2015-07-15 01:41:42 EDT; 13min ago
  Process: 22318 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)
  Process: 22282 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited, status=0/SUCCESS)
  Process: 22402 ExecStartPre=/usr/sbin/named-checkconf -z /etc/named.conf (code=exited, status=1/FAILURE) ### Why is it failing now?
 Main PID: 22284 (code=exited, status=0/SUCCESS)

Jul 15 01:41:42 naming.home.virtnet named-checkconf[22402]: zone 10.10.10.in-addr.arpa/IN: not loaded due to errors. ### This did not show up earlier
Jul 15 01:41:42 naming.home.virtnet named-checkconf[22402]: _default/10.10.10.in-addr.arpa/IN: permission denied ### What permission is being requested?
Jul 15 01:41:42 naming.home.virtnet named-checkconf[22402]: zone localhost.localdomain/IN: loaded serial 0
Jul 15 01:41:42 naming.home.virtnet named-checkconf[22402]: zone localhost/IN: loaded serial 0
Jul 15 01:41:42 naming.home.virtnet named-checkconf[22402]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
Jul 15 01:41:42 naming.home.virtnet named-checkconf[22402]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
Jul 15 01:41:42 naming.home.virtnet named-checkconf[22402]: zone 0.in-addr.arpa/IN: loaded serial 0
Jul 15 01:41:42 naming.home.virtnet systemd[1]: named.service: control process exited, code=exited status=1
Jul 15 01:41:42 naming.home.virtnet systemd[1]: Failed to start Berkeley Internet Name Domain (DNS).
Jul 15 01:41:42 naming.home.virtnet systemd[1]: Unit named.service entered failed state.

I don't understand the "permission denied" error. Especially when it didn't show up in the stand alone instance of named-checkconf -z that i ran. Why systemd returns an error code of 1 for named-checkconfig is beyond me.

The permissions are:

Code: Select all

-rw-r--r--. 1 named named  276 Jul 15 00:44 /var/named/forward.home

-rw-r--r--. 1 named named  328 Jul 15 00:43 /var/named/reverse.home

-rw-r-----. 1 root named 1782 Jul 15 02:01 /etc/named.conf
Here are the files that I've been working with.

/var/named/forward.home

Code: Select all

$TTL 86400
@       IN      SOA     naming.home.virtnet. root.naming.home.virtnet.  (
        20150715        ;Serial
        3600    ;Refresh
        1800    ;Retry
        604800  ;Expire
        86400   ;Minimum TTL
)
@       IN      NS      naming.home.virtnet.
@       IN      A       10.10.10.2
@       IN      A       10.10.10.3
naming  IN      A       10.10.10.2
spacewalk       IN      A       10.10.10.3
/var/named/reverse.home

Code: Select all

$TTL 86400
@       IN      SOA     naming.home.virtnet. root.home.virtnet. (
        20150715        ;Serial
        3600    ;Refresh
        1800    ;Retry
        604800  ;Expire
        86400   ;Minimum TTL
)
@       IN      NS      naming.home.virtnet.
@       IN      PTR     home.virtnet.
naming  IN      A       10.10.10.2
spacewalk       IN      A       10.10.10.3
2       IN      PTR     naming.home.virtnet.
3       IN      PTR     spacewalk.home.virtnet  
Lastly my /etc/named.conf

Code: Select all

/
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
        listen-on port 53 { 127.0.0.1; 10.10.10.2; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; 10.10.10.0/24 };

        /* 
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable 
           recursion. 
         - If your recursive DNS server has a public IP address, you MUST enable access 
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification 
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface 
        */
        recursion no;

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};


zone "." IN {
        type hint;
        file "named.ca";
};

zone "home.virtnet" IN {
        type master;
        file "forward.home";
        allow-update { none; };
};

zone "10.10.10.in-addr.arpa" IN {
        type master;
        file "reverse.home";
        allow-update { none; };
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
I attempted to uninstall and then reinstall bind, but I kept getting the same error. Would someone please help me to diagnose and troubleshoot this error? Thank you for your consideration.

- Andrew

EDIT: The first time I was using bind-chroot. I uninstalled that and am now just using bind. The same error occurred both times.
Last edited by smacz on 2015/07/17 09:31:51, edited 1 time in total.

crashdog
Posts: 38
Joined: 2015/07/11 16:11:43
Location: Schaffhausen,CH
Contact:

Re: named error: permission denied

Post by crashdog » 2015/07/15 08:26:39

Probably not the solution, but since it say's permission denied have you checked the selinux file and directory permissions ? ls -Z ?
my zone files have following permissions settings : system_u:object_r:named_zone_t:s0 and the named directory : system_u:object_r:named_zone_t:s0

Ready.

Crashdog

smacz
Posts: 6
Joined: 2015/06/30 01:16:24

Re: named error: permission denied

Post by smacz » 2015/07/15 09:26:22

Thanks for the lead! A quick search shows that SELinux may just be the culprit. Let me check it out.

smacz
Posts: 6
Joined: 2015/06/30 01:16:24

SOLVED

Post by smacz » 2015/07/17 09:29:57

Was able to resolve it. My (somewhat wordy) notes are below.

Permission Denied

Trying to access X.X.X.in-addr.arpa results in

Code: Select all

... :permission denied
So that's not good. I've heard (@crashdog) that is probably linked to a SELinux rule. So now
let's see if I can use `audit2allow` to fix the problem. However that program
works.

First off, there's no `audit2allow` package, it's in `policycoreutils-devel`.

Code: Select all

	# yum -y install policycoreutils-devel
And the synopsis

Code: Select all

# man audit2allow

	Synopsis
	
		audit2allow [options]
Which is not really helpful. Luckily, there are examples. Mostly, it's about a
log file being piped into `audit2allow` via `cat`. This is a powerful tool. It's
gunna take a bit of googling for this specifically. Also, using CentOS7 means
that this'll probably be using systemd's `journalctl`.

Checking out `/var/log/audit/audit.log` showed exactly the confirmation that I
wanted. (It's the file that `audit2allow` reads)

Code: Select all

	# cat /var/log/audit/audit.log | egrep 'named|denied'
Not very fancy, but reading some of the lines, I see that one of the files that
I created (reverse.home) at least was denied being able to be opened. Taking a
look at the output of the security permissions reads:

Code: Select all

	# ls -Z /var/named/forward.home; ls -Z /var/named/reverse.home

	-rw-r--r--. named named unconfined_u:object_r:user_tmp_t:s0 /var/named/forward.home
	-rw-r--r--. named named unconfined_u:object_r:user_tmp_t:s0 /var/named/reverse.home
Which in contrast to /etc/named.conf:

Code: Select all

	# ls -Z /etc/named.conf

	-rw-r--r--. root named system_u:object_r:named_conf_t:s0 /etc/named.conf
Shows some differences. First to change back the regular file owner (which
I had messed around with earlier):

Code: Select all

	# chown root:named /var/named/{forward,reverse}.home
What we need now is to change those security permissions.

Reading the Redhat 7 text SELinux Users and Administrators Guide, Ch. 10, to
spit out a *much* more readable text I executed:

Code: Select all

	# ausearch -c named
Or to get more general:

Code: Select all

	# ausearch -m avc
To show the denials for the service named "named". Aka DNS. Sure enough, there
was an `{ open }` system call that was being denied. Not having the sealert
utility (which shows suggested "Allowing Access" tips), I needed to install the
`setroubleshoot-server` package.

Code: Select all

	# yum -y install setroubleshoot-server
There are still no "SELinux is preventing..." messages in /var/log/messages,
which is worrying me. But I'll continue down this path as far as I can. I can
see though that these error messages were caught by setroubleshootd.

Code: Select all

	# setroubleshootd
	# systemctl start named
	# journalctl _COMM=setroubleshootd
Then sealert comes into play.

Code: Select all

	# sealert -a /var/log/audit/audit.log | less
So much neatly parsed information! Let's see:

Code: Select all

	SELinux is preventing named-checkconf from open access on file /var/named/reverse.home

	If you want to fix the label.
	/var/named/reverse.home default label should be named_zone_t.
	Then you can run restorecon.
	Do
	# /sbin/restorecon -v /var/named/reverse.home
Which is pretty straightforward! So how about that `audit2allow`?

Code: Select all

	# audit2allow -w -a

	Missing type enforcement (TE) allow rule.
	You can use audit2allow to generate a loadable module to allow this access.
Sweet. However, this isn't fixing the label, this is creating an allow rule, and
who knows what other files can be allowed with this permission. Let's try to
change the label first.

Code: Select all

	# chcon -t named_zone_t /var/named/reverse.home
	# semanage fcontext -a -t named_zone_t "/var/named/reverse.home"
Which temporarily changes the label absolutely. The `semanage` will make the
change permanent. To change it based on it's location in the filesystem hierarchy:

Code: Select all

	# restorecon -v /var/named/reverse.home
Which should did work because it's in the correct spot for SELinux to know to set
the correct label. However `systemctl start named` still fails.

Code: Select all

	# restorecon -v /var/named/forward.home
Oops! Forgot to do the forward zone file too.

Code: Select all

	# systemctl start named
	# systemctl status named

	...
	Active: active (running) since...1min 11sec ago
	...
Cool! Looks like that about wraps up the permission denied error. Marking this as [SOLVED].

Post Reply

Return to “CentOS 7 - Networking Support”