--- title: "Why can't named update some zone database/journal files?" slug: "aa-00320" description: "By default, named is not allowed by the SELinux security policy to write, create, or delete files except in specific locations." updated: 2021-07-20T19:31:37Z published: 2021-07-20T19:31:37Z canonical: "kb.isc.org/aa-00320" --- > ## Documentation Index > Fetch the complete documentation index at: https://kb.isc.org/llms.txt > Use this file to discover all available pages before exploring further. # Why can't named update secondary zone database files, secondary journal files and primary zones from journals? It is not known which versions of Red Hat Enterprise Linux (RHEL), SELinux, and Fedora Core that the problem addressed by this article applies to. The article may also sometimes apply to SELinux in other distributions. This is a problem that has been reported when running BIND 9 on Red Hat Enterprise Linux or Fedora Core. Specifically, problems are encountered with updating secondary zone database files, creating DDNS journal files, and updating primary zones from journals. It also manifests itself as **named** being unable to create custom log files. Red Hat Security Enhanced Linux (SELinux) policy security protections: Red Hat has adopted the National Security Agency's SELinux security policy and recommendations for BIND security, which are more secure than running **named** in a chroot and make use of the bind-chroot environment unnecessary. By default, **named** is not allowed by the SELinux policy to write, create, or delete any files EXCEPT in these directories: ``` $ROOTDIR/var/named/slaves$ROOTDIR/var/named/data$ROOTDIR/var/tmp ``` where $ROOTDIR may be set in /etc/sysconfig/named if bind-chroot is installed. The SELinux policy particularly does NOT allow **named** to modify the $ROOTDIR/var/named directory, the default location for primary zone database files. SELinux policy overrules file access permissions, so even if all the files under /var/named have ownership named:named and mode rw-rw-r--, **named** will still not be able to write or create files except in the directories above, with SELinux in Enforcing mode. So, to allow **named** to update secondary or DDNS zone files, it is best to locate them in $ROOTDIR/var/named/secondaries, with `named.conf` zone statements such as: ``` zone "secondary.zone." IN { type secondary; file "secondaries/secondary.zone.db"; ...}; zone "ddns.zone." IN { type primary; allow-updates {...}; file "secondaries/ddns.zone.db";}; ``` To allow **named** to create its cache dump and statistics files, for example, you could use `named.conf` options statements such as: ``` options { ... dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; ...}; ``` You can also tell SELinux to allow **named** to update any zone database files, by setting the SELinux tunable boolean parameter `named_write_primary_zones=1`, using the system-config-securitylevel GUI, using the `setsebool` command, or in /etc/selinux/targeted/booleans. You can disable SELinux protection for **named** entirely by setting the `named_disable_trans=1` SELinux tunable boolean parameter. The SELinux named policy defines these SELinux contexts for **named**: named_zone_t : for zone database files - $ROOTDIR/var/named/*named_conf_t : for named configuration files - $ROOTDIR/etc/{named,rndc}.*named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,data}} If you want to retain use of the SELinux policy for **named**, and put **named** files in different locations, you can do so by changing the context of the custom file locations. To create a custom configuration file location, e.g. `/root/named.conf`, to use with the `named -c` option, do: ``` # chcon system_u:object_r:named_conf_t /root/named.conf ``` To create a custom modifiable **named** data location, e.g. `/var/log/named` for a log file, do: ``` # chcon system_u:object_r:named_cache_t /var/log/named ``` To create a custom zone file location, e.g. /root/zones/, do: ``` # chcon system_u:object_r:named_zone_t /root/zones/{.,*} ``` See these man-pages for more information: selinux(8), named_selinux(8), chcon(1), setsebool(8)