Need Info for Fedora 27, SELinux., Bind and Samba 4.7

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Need Info for Fedora 27, SELinux., Bind and Samba 4.7

Samba - samba-technical mailing list
I have fill this bug into Bugzilla for Fedora 27:
https://bugzilla.redhat.com/show_bug.cgi?id=1476187

Now Petr Menšík ask to me these questions:

> Product: Fedora
> Version: 27
> Component: bind
>
> Petr Menšík <[hidden email]> has asked Dario Lesca
> <[hidden email]> for needinfo:

> Bug 1476187: Service bind not start due selinux when configured with
> samba deploy with --dns-backend=BIND9_DLZ
> https://bugzilla.redhat.com/show_bug.cgi?id=1476187
>
>
>
> --- Comment #4 from Petr Menšík <[hidden email]> ---
> Hi Dario,
>
> chcon is not enough for distribution, it has to be reset by
> restorecon. I think
>
> /etc/selinux/targeted/contexts/files/file_contexts needs one more
> line:
>
> /var/lib/samba/bind-dns/dns(/.*)?       system_u:object_r:named_cache_t:s0
>
> This file is owned by selinux-policy-targeted package. Please use
> named_cache_t instead, that is used for dynamic zones in bind.
>
> You could then reset contexts from %post script of samba package.
> $ restorecon -R /var/lib/samba/bind-dns/dns
>
> I wonder if both samba and bind would access this file at the same
> time?

> Is it designed to be written by both samba and bind?
>
> In general, DLZ modules should be installed into /usr/lib*/bind I
> think. I would suggest name /usr/lib*/bind/dlz_sam.so. I think it
> does not make sense to distribute modules for different bind versions
> than packaged (current is bind 9.11 for 26+).
>
> Bind supports also chroot mode (bind-chroot package), that would not
> have access to /var/lib/samba/bind-dns/dns without specific setup of
> chroot (handled by /usr/libexec/setup-named-chroot.sh). Because of
> that configuration and keytab for bind should be in /etc/named/,
> where it is already handled by setup script. The same with DLZ
> module location.
>
> Does it require access to samba database files?

> Which files files or directories  it requires?

I'm not a developer, I'm only a simple test user and I cannot answer to
Peter.

Someone can help me to answer these questions?

I'll take it back to BugZilla.

Many thanks

--
Dario Lesca
(inviato dal mio Linux Fedora 26 Workstation)

Reply | Threaded
Open this post in threaded view
|

Re: Need Info for Fedora 27, SELinux., Bind and Samba 4.7

Samba - samba-technical mailing list


Hi Dario, whilst I don't know all the answers, I will answer to the
best of my abilities ;-)

On Wed, 01 Nov 2017 18:11:17 +0100
Dario Lesca via samba-technical <[hidden email]> wrote:

> I have fill this bug into Bugzilla for Fedora 27:
> https://bugzilla.redhat.com/show_bug.cgi?id=1476187
>
> Now Petr Menšík ask to me these questions:
>
> > Product: Fedora
> > Version: 27
> > Component: bind
> >
> > Petr Menšík <[hidden email]> has asked Dario Lesca
> > <[hidden email]> for needinfo:
>
> > Bug 1476187: Service bind not start due selinux when configured with
> > samba deploy with --dns-backend=BIND9_DLZ
> > https://bugzilla.redhat.com/show_bug.cgi?id=1476187
> >
> >
> >
> > --- Comment #4 from Petr Menšík <[hidden email]> ---
> > Hi Dario,
> >
> > chcon is not enough for distribution, it has to be reset by
> > restorecon. I think
> >
> > /etc/selinux/targeted/contexts/files/file_contexts needs one more
> > line:
> >
> > /var/lib/samba/bind-dns/dns(/.*)?
> > system_u:object_r:named_cache_t:s0
> >
> > This file is owned by selinux-policy-targeted package. Please use
> > named_cache_t instead, that is used for dynamic zones in bind.
> >
> > You could then reset contexts from %post script of samba package.
> > $ restorecon -R /var/lib/samba/bind-dns/dns
> >
> > I wonder if both samba and bind would access this file at the same
> > time?

Yes

>
> > Is it designed to be written by both samba and bind?

Yes

> >
> > In general, DLZ modules should be installed into /usr/lib*/bind I
> > think. I would suggest name /usr/lib*/bind/dlz_sam.so. I think it
> > does not make sense to distribute modules for different bind
> > versions than packaged (current is bind 9.11 for 26+).

If you read the 'named.conf' file that Samba ships, you will find that
there a few of the .so files, they are called 'dlz_bind9_${VER}.so,
where '${VER}' is the Bind minor version.

> >
> > Bind supports also chroot mode (bind-chroot package), that would not
> > have access to /var/lib/samba/bind-dns/dns without specific setup of
> > chroot (handled by /usr/libexec/setup-named-chroot.sh). Because of
> > that configuration and keytab for bind should be in /etc/named/,
> > where it is already handled by setup script. The same with DLZ
> > module location.

The 'chroot problem' will not be a problem at all, you cannot run Bind9
in a chroot with a Samba AD DC ;-)

> >
> > Does it require access to samba database files?

OH yes

>
> > Which files files or directories  it requires?

Obviously the 'dns' files

>
> I'm not a developer, I'm only a simple test user and I cannot answer
> to Peter.

I think 'Peter' needs to talk to the red-hat sponsored Samba developers
that are working on getting the Samba AD DC to work with MIT Kerberos.

Rowland


Reply | Threaded
Open this post in threaded view
|

Re: Need Info for Fedora 27, SELinux., Bind and Samba 4.7

Samba - samba-technical mailing list
Il giorno mer, 01/11/2017 alle 20.42 +0000, Rowland Penny via samba-
technical ha scritto:
> I think 'Peter' needs to talk to the red-hat sponsored Samba
> developers that are working on getting the Samba AD DC to work with
> MIT Kerberos.
>
>
Thanks Rowland, I have rotate your reply to Bugzilla.

now let's see what happens

Thanks

--
Dario Lesca
(inviato dal mio Linux Fedora 26 Workstation)