-----Original Message----- From: fedora-devel-list-bounces@redhat.com [mailto:fedora-devel-list- bounces@redhat.com] On Behalf Of Ivan Gyurdiev Sent: Monday, March 29, 2004 6:35 PM To: fedora-devel-list@redhat.com Subject: Selinux and named
Named complains: capset failed whether in enforcing mode or not.
Online documentation suggests ./configure --disable-linux-caps, but I'd like to keep my bind rpm.
What could be the problem?
Bind automatically tries to escalate its priority, and something (selinux?) is denying it. I'd like to suggest that the officially distributed bind be built with --disable-linux-caps. Programs should not automatically attempt to escalate themselves IMHO. If the process priority needs to be changed, it should be done in the init script.
This change would also allow fedora's bind to work under a vserver without modifications, which would certainly make a few of us happy.
You could probably fix this problem by changing the selinux policy, but I can't help you much there. With vserver, you would need to allow CAP_SYS_RESOURCE, and I'm guessing the solution under selinux would be close to that.
--erik
devel@lists.stg.fedoraproject.org