Need Info for Fedora 27, SELinux., Bind and Samba 4.7

Wed Nov 1 20:42:41 UTC 2017

Hi Dario, whilst I don't know all the answers, I will answer to the
best of my abilities ;-)

On Wed, 01 Nov 2017 18:11:17 +0100
Dario Lesca via samba-technical <samba-technical at lists.samba.org> wrote:

> I have fill this bug into Bugzilla for Fedora 27:
> https://bugzilla.redhat.com/show_bug.cgi?id=1476187
> 
> Now Petr Menšík ask to me these questions:
> 
> > Product: Fedora
> > Version: 27
> > Component: bind
> > 
> > Petr Menšík <pemensik at redhat.com> has asked Dario Lesca
> > <d.lesca at solinos.it> for needinfo:
> 
> > Bug 1476187: Service bind not start due selinux when configured with
> > samba deploy with --dns-backend=BIND9_DLZ
> > https://bugzilla.redhat.com/show_bug.cgi?id=1476187
> > 
> > 
> > 
> > --- Comment #4 from Petr Menšík <pemensik at redhat.com> ---
> > Hi Dario,
> > 
> > chcon is not enough for distribution, it has to be reset by
> > restorecon. I think
> > 
> > /etc/selinux/targeted/contexts/files/file_contexts needs one more
> > line:
> > 
> > /var/lib/samba/bind-dns/dns(/.*)?
> > system_u:object_r:named_cache_t:s0
> > 
> > This file is owned by selinux-policy-targeted package. Please use
> > named_cache_t instead, that is used for dynamic zones in bind.
> > 
> > You could then reset contexts from %post script of samba package.
> > $ restorecon -R /var/lib/samba/bind-dns/dns
> > 
> > I wonder if both samba and bind would access this file at the same
> > time? 

Yes

> 
> > Is it designed to be written by both samba and bind?

Yes

> > 
> > In general, DLZ modules should be installed into /usr/lib*/bind I
> > think. I would suggest name /usr/lib*/bind/dlz_sam.so. I think it
> > does not make sense to distribute modules for different bind
> > versions than packaged (current is bind 9.11 for 26+).

If you read the 'named.conf' file that Samba ships, you will find that
there a few of the .so files, they are called 'dlz_bind9_${VER}.so,
where '${VER}' is the Bind minor version.

> > 
> > Bind supports also chroot mode (bind-chroot package), that would not
> > have access to /var/lib/samba/bind-dns/dns without specific setup of
> > chroot (handled by /usr/libexec/setup-named-chroot.sh). Because of
> > that configuration and keytab for bind should be in /etc/named/,
> > where it is already handled by setup script. The same with DLZ
> > module location.

The 'chroot problem' will not be a problem at all, you cannot run Bind9
in a chroot with a Samba AD DC ;-)

> > 
> > Does it require access to samba database files?

OH yes

> 
> > Which files files or directories  it requires?

Obviously the 'dns' files

> 
> I'm not a developer, I'm only a simple test user and I cannot answer
> to Peter.

I think 'Peter' needs to talk to the red-hat sponsored Samba developers
that are working on getting the Samba AD DC to work with MIT Kerberos.

Rowland