RHEL/CentOS – Dynamic DNS and SELinux

There are some nice howtos describing how to implement Dynamic DNS using ISC dhcpd and BIND.
Most of them do not tell you how to cope with the additional restrictions imposed on a RHEL or CentOS SELinux enabled system.

By default SELinux on CentOS (and RHEL) does not allow the named user to create or update files in directories with the named_zone_t label. The /var/named directory has this label and files created in it inherit the label.

If your zone files are located in a directory with the named_zone_t label you will run into errors like:

myzone.db.jnl: create: permission denied

and

updating zone ‘myzone/IN’: error: journal open failed: unexpected error

This effectively blocks dynamic updates.

 

There are two solutions to this issue.

  • Enable the named_write_master_zones boolean and configure the proper rwx permissions on the parent directory for the named user or group.

You enable the boolean with:

semanage boolean –on named_write_master_zones

  • Place your dynamic zones in /var/named/dynamic/

There are permissions (named_cache_t label and rwx for named:named) in place that allow for dynamic updates.

 

Sources:
/var/log/messages
Red Hat: BIND and SELinux