Need Info for Fedora 27, SELinux., Bind and Samba 4.7

Dario Lesca d.lesca at solinos.it
Wed Nov 1 17:11:17 UTC 2017 

I have fill this bug into Bugzilla for Fedora 27:
https://bugzilla.redhat.com/show_bug.cgi?id=1476187

Now Petr Menšík ask to me these questions:

> Product: Fedora
> Version: 27
> Component: bind
> 
> Petr Menšík <pemensik at redhat.com> has asked Dario Lesca
> <d.lesca at solinos.it> for needinfo:

> Bug 1476187: Service bind not start due selinux when configured with
> samba deploy with --dns-backend=BIND9_DLZ
> https://bugzilla.redhat.com/show_bug.cgi?id=1476187
> 
> 
> 
> --- Comment #4 from Petr Menšík <pemensik at redhat.com> ---
> Hi Dario,
> 
> chcon is not enough for distribution, it has to be reset by
> restorecon. I think
> 
> /etc/selinux/targeted/contexts/files/file_contexts needs one more
> line:
> 
> /var/lib/samba/bind-dns/dns(/.*)?       system_u:object_r:named_cache_t:s0
> 
> This file is owned by selinux-policy-targeted package. Please use
> named_cache_t instead, that is used for dynamic zones in bind.
> 
> You could then reset contexts from %post script of samba package.
> $ restorecon -R /var/lib/samba/bind-dns/dns
> 
> I wonder if both samba and bind would access this file at the same
> time? 

> Is it designed to be written by both samba and bind?
> 
> In general, DLZ modules should be installed into /usr/lib*/bind I
> think. I would suggest name /usr/lib*/bind/dlz_sam.so. I think it
> does not make sense to distribute modules for different bind versions
> than packaged (current is bind 9.11 for 26+).
> 
> Bind supports also chroot mode (bind-chroot package), that would not
> have access to /var/lib/samba/bind-dns/dns without specific setup of
> chroot (handled by /usr/libexec/setup-named-chroot.sh). Because of
> that configuration and keytab for bind should be in /etc/named/,
> where it is already handled by setup script. The same with DLZ
> module location.
> 
> Does it require access to samba database files?

> Which files files or directories  it requires?

I'm not a developer, I'm only a simple test user and I cannot answer to
Peter.

Someone can help me to answer these questions?

I'll take it back to BugZilla.

Many thanks

-- 
Dario Lesca
(inviato dal mio Linux Fedora 26 Workstation)

More information about the samba-technical mailing list