Can't start Bind open: /etc/named.conf: permission denied
Solution 1
when I replaced the named.conf the selinux context got messed, when doing ls -Z it should look like this
-rw-r--r--. root root system_u:object_r:named_conf_t:s0 named.conf
As you can see mine it's different, to reset it, I used
restorecon -RFv /etc/named.conf
With this, however, doing ls -Z gave me this
-rw-r-----. root root system_u:object_r:named_conf_t:s0 named.conf
To add the last 'r' so everyone can read it, I did
chmod 644 /etc/named.conf
Stopped the service named and restarted it, and it works again.
Solution 2
On CentOS 7 bind runs by default as named
user, not root
, hence it cannot read your named.conf, as it is owned by root
and readable by root
only.
As Håkan Lindqvist already commented, the permissions on CentOS 7 should look like below:
-rw-r-----. 1 root named 10672 04-09 20:02 /etc/named.conf
so do:
# chown root:named /etc/named.conf
# chroot 640 /etc/named.conf
Related videos on Youtube
Nelson SMG
Updated on September 18, 2022Comments
-
Nelson SMG over 1 year
so I'm really new on this and was following this tutorial to set up bind, and up to 4:50 I was having no problems, I could ping, use nslookup and had internet connection with the dns server, then we had to add the zones and create the zone files (just creating them), perfect, I restart to see if there's any trouble (I use a virtual machine btw), then i could no longer ping, use nslookup and i didn't even have internet connection. This is what I got using systemctl status
Redirecting to /bin/systemctl status -l named.service ● named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor prese$ Active: failed (Result: exit-code) since jue 2019-04-25 23:14:30 -04; 3min 3$ Process: 3355 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "y$ abr 25 23:14:30 linux bash[3355]: _default/0.168.192.in-addr.arpa/IN: bad zone abr 25 23:14:30 linux bash[3355]: zone localhost.localdomain/IN: loaded serial 0 abr 25 23:14:30 linux bash[3355]: zone localhost/IN: loaded serial 0 abr 25 23:14:30 linux bash[3355]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.$ abr 25 23:14:30 linux bash[3355]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial$ abr 25 23:14:30 linux bash[3355]: zone 0.in-addr.arpa/IN: loaded serial 0 abr 25 23:14:30 linux systemd[1]: named.service: control process exited, code=e$ abr 25 23:14:30 linux systemd[1]: Failed to start Berkeley Internet Name Domain$ abr 25 23:14:30 linux systemd[1]: Unit named.service entered failed state. abr 25 23:14:30 linux systemd[1]: named.service failed.
I thought this was because of the empty zone files so I replaced with a named.conf without the zones, tried to restart with service restart named but got (again):
Failed to start BIND : Redirecting to /bin/systemctl start named.service Job for named.service failed because the control process exited with error code. See "systemctl status named.service" and "journalctl -xe" for details.
So I did
● named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since jue 2019-04-25 23:25:30 -04; 1min 3s ago Process: 5557 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=1/FAILURE) Process: 5552 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS) abr 25 23:25:30 linux named[5559]: found 2 CPUs, using 2 worker threads abr 25 23:25:30 linux named[5559]: using 2 UDP listeners per interface abr 25 23:25:30 linux named[5559]: using up to 21000 sockets abr 25 23:25:30 linux named[5559]: loading configuration from '/etc/named.conf' abr 25 23:25:30 linux named[5559]: open: /etc/named.conf: permission denied abr 25 23:25:30 linux named[5559]: loading configuration: permission denied abr 25 23:25:30 linux systemd[1]: named.service: control process exited, code=exited status=1 abr 25 23:25:30 linux systemd[1]: Failed to start Berkeley Internet Name Domain (DNS). abr 25 23:25:30 linux systemd[1]: Unit named.service entered failed state. abr 25 23:25:30 linux systemd[1]: named.service failed.
It's a permission problem but it worked perfectly before so I'm at a loss.
This is what I get by doing ls -l /etc/named.conf :
-rw-r-----. 1 root root 1808 abr 25 15:13 /etc/named.conf
And this is when I do ls -Z /etc/named.conf (if it has something to do with selinux):
-rw-r-----. 1 root root unconfined_u:object_r:etc_t:s0 /etc/named.conf
Not sure if it helps but here's the named.conf
options { listen-on port 53 { 127.0.0.1; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; allow-query { localhost; }; recursion yes; dnssec-enable yes; dnssec-validation yes; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
I also don't have a chroot folder in /etc/named/
Is there a solution for this? Thanks.-
Håkan Lindqvist about 5 years
-rw-r-----. root named system_u:object_r:named_conf_t:s0 /etc/named.conf
is what named.conf looks like out of the box on centos -
Tenders McChiken over 2 yearsOn debian 11, bind is confined with apparmor so just changing filesystem access permissions will not work. You need to edit your apparmor profile to allow access to other areas
/etc/apparmor.d/usr.sbin.named
-
-
John Greene over 4 yearsExcept, this problem also occurs with SELinux disabled. It's a vendor-specific issue, notably ISC-Bind9 and to administrators who uses other location for their named's PID file location. Details are given here: serverfault.com/a/999128/250390
-
John Greene over 4 yearsAnd for the next administrator to come along, I would added a README file into the empty
/run/named
telling him why it is to remain empty and existing. But, this newtmpfiles.d
will just blow it away. :-/