Symptom

BIND fails to start after installing Men & Mice DNS Server Controller on a Linux system with SE Linux enabled.

Problem

During installation, the Men & Mice DNS Server Controller installation script rearranges the BIND configuration file, named.conf, and adds a new log file. Information about the rearrangement and new log file needs to be entered into the SE Linux policy.

Solution

This document describes how to install Men & Mice DNS Server Controller 5.1.3 on an SELinux enabled system (Fedora Core 4). For other SELinux distributions, please contact Men & Mice Support.

SELinux (Security-Enhanced Linux) in Fedora Core is an implementation of mandatory access control in the Linux kernel using the Linux Security Modules (LSM) framework. Standard Linux security is a discretionary access control model.

Prerequisites (these are the defaults in a Fedora Core 4 installation):

• Standard Fedora Core 4 Server Install including BIND 9.3.1
• BIND 9.3.1 running in a CHROOT jail in /var/named/chroot

Please read all steps necessary before starting the Men & Mice Suite Installation. Configuring SELinux is not an easy task and good Unix and security skills are needed.

Complete all steps with root privileges.

• Install the SELinux Security Policy Source Package:

yum install selinux-policy-targeted-sources

Make sure that SELinux is in enforce mode. The getenforce command should respond with enforcing.

• Download the Men & Mice 5.1.3 installation package. Unpack the installation package in a temporary directory. Change into the Installation directory, mmsuite-5.1.3, and then start the installation script.
• Select installation of Men & Mice DNS Server Controller.
• //(optional)// Select installation of Men & Mice Central if desired.
• Select that Men & Mice DNS Server Controller should run in a CHROOT environment, and that the chroot directory is /var/named/chroot.
• The user and group name for the named process are user named and group named.
• Continue installation. The installation script will rearrange the BIND configuration file, will restart BIND, and will start the Men & Mice services. Test and make sure that the BIND name server has sucessfully restarted. The named process should be running.
• With the default SELinux policy, BIND will not be able to create the Men & Mice log file in /var/named/chroot/var/named/quickdns.log. Check the SELinux audit log for missing access rights:

audit2allow -i /var/log/audit/audit.log -l

This should print out:

allow named_t named_conf_t:dir add_name;

.
Add this line to the local SELinux policy configuration file:

audit2allow -i /var/log/audit/audit.log >> /etc/selinux/targeted/src/policy/domains/misc/local.te 

Build a new SELinux policy:

cd /etc/selinux/targeted/src/policy/ && make load

• Restart BIND.

/etc/init.d/named restart

The logfile /var/named/chroot/var/named/quickdns.log should now appear.

• If the Linux Firewall is enabled, ensure that Men & Mice Management Console can access port 1337/TCP for Men & Mice DNS Server Controller and Port 1231 for the Men & Mice Central, if installed. Check the enabled firewall ports with the SecurityLevel Configuration Applet:

system-config-securitylevel

• For security reasons, the SELinux Policy Sources can be removed after installation:

yum remove selinux-policy-targeted-sources

• Try to add the new DNS server to Men & Mice Management Console. Check the server's Log window and Info window from the Management Console.

Men & Mice DNS Server Controller and the BIND name server are now ready for production work. If you would like to use dynamic DNS with your name server, please read the named_selinux man page on how to enable write permissions on zone files for BIND.

Additional Information on SELinux:

• SELinux Homepage: http://www.nsa.gov/selinux/
• Fedora/RedHat SELinux FAQ: http://fedora.redhat.com/docs/selinux-faq/
• Fedora Project SELinux Wiki: http://fedoraproject.org/wiki/SELinux
• Fedora BIND SELinux Manpage: http://fedoraproject.org/wiki/SELinux/named
• Russel Cokers SELinux Information: http://www.coker.com.au/selinux/