Online Promoters™ :: Web Development made simple

Named Bind SELinux error: dumping master file: tmp-xxx: open: permission denied


When configuring DNS servers running BIND (named), on a slave server you might encounter the following error when the slave is trying to update its zones from the master server:

named[25319]: zone tlthost.net/IN: Transfer started.
named[25319]: transfer of 'tlthost.net/IN' from 192.168.xx.xxx#53: connected using 192.168.xx.xxx#59827
named[25319]: dumping master file: tmp-NrfJj6zM6s: open: permission denied
named[25319]: transfer of 'tlthost.net/IN' from 192.168.xx.xxx#53: failed while receiving responses: permission denied
named[25319]: transfer of 'tlthost.net/IN' from 192.168.xx.xxx#53: end of transfer

Assuming that your named folders and files have the proper ownership and permissions, usually: named named and 770, you might also want to check your SELinux status. If you made a fresh install you should have all the proper permission by default except those of the custom folders that you might have.

Perhaps you have copied some configuration files from another system and those files have not been yet "indexed" (relabeled) by SELinux. In this case SELinux is assuming them as "alien" files and thus the resulting error.

Disabling SELinux IS NOT AN OPTION! You should solve the issues that prevents your linux system from working properly, WITHOUT DISABLING SELinux.

Relabel the systemfile at boot time:

[root@linux hack]# touch /.autorelabel && reboot

SELinux can be disabled completely at bootup by passing selinux=0 to the kernel command line. This will completely disable SELinux until a reboot, and you will need to relabel files when rebooting to ensure proper operation.

If you cannot afford a reboot then take a look at the SElinux fixfiles command:

[root@linux hack]# /sbin/fixfiles check

fixfiles can be used to relabel the entire filesystem based on the current policy, or to relabel a packaged application’s files based on the information included in that application’s rpm package.

A better alternative for temporarily disabling SELinux is to put the system into permissive mode. Permissive mode will log actions that would have been denied, but will not actually deny them. This contrasts with the normal enforcing mode that will actively deny access to actions not explicitly allowed by the currently running policy.
To put the system into permissive mode, issue the command setenforce 0 while in the sysadm_r role or pass enforcing=0 to the kernel command line at bootup. To resume enforcing mode, issue the command setenforce 1. Issuing the command getenforce will return the mode SELinux is running currently.
SELinux modes can also be set by editing the SELinux config file located at /etc/selinux/config. The SELINUX= line can be set to enforcing, permissive, or disabled, and will take effect upon the next reboot.

SELinux status:

[root@linux hack]# [root@linux hack]# cat /selinux/enforce

Enable SELinux:

[root@linux hack]# echo 1 > /selinux/enforce

Disable SELinux:

[root@linux hack]# echo 0 > /selinux/enforce

Further reading about SELinux Administration can be found here: http://bit.ly/AkNz75 here: http://bit.ly/AzFiTA nd here: http://bit.ly/AzFiTA