BIND named unable to write log files due to SELinux

Solution Verified - Updated -

Issue

  • BIND named is not writing logs to the configured locations unless SELinux is in permissive mode (setenforce 0) when I start it

  • By default, should SELinux allow named to write to its own log file? I'm seeing this report from setroubleshoot:

    SELinux is preventing /usr/sbin/named from append access on the file /var/named/logs/named.log.
...
Additional Information:
Source Context                system_u:system_r:named_t:s0
Target Context                system_u:object_r:named_zone_t:s0
Target Objects                /var/named/logs/named.log [ file ]
Source                        named
Source Path                   /usr/sbin/named
...
Raw Audit Messages
type=AVC msg=audit(1445536202.809:97592): avc:  denied  { append } for  pid=1908 comm="named" name="named.log" dev="dm-0" ino=1504013 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=file

type=SYSCALL msg=audit(1445536202.809:97592): arch=x86_64 syscall=open success=yes exit=ECHILD a0=7f8512462240 a1=441 a2=1b6 a3=fffffffffffffd49 items=0 ppid=1 pid=1908 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm=named exe=/usr/sbin/named subj=system_u:system_r:named_t:s0 key=(null)

Environment

  • Red Hat Enterprise Linux
  • named / BIND

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content