BIND no longer starting on boot with F37

,

Problem

Just upgraded from F36 to F37. BIND fails to start successfully under F37. Details below.

# Errors state that /var/named is not writable, nor is /etc/named.conf

[jihood@zbox ~]$ systemctl status named.service
× named.service - Berkeley Internet Name Domain (DNS)
     Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; preset: disabled)
     Active: failed (Result: exit-code) since Mon 2022-12-05 04:11:16 CST; 3 days ago
    Process: 1489 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/bin/named-checkconf -z "$NAMEDCONF"; else echo "C>
    Process: 1493 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=1/FAILURE)
        CPU: 50ms

Dec 05 04:11:16 zbox.home.lan named[1494]: TKEY mode 3 support (GSS-API): yes
Dec 05 04:11:16 zbox.home.lan named[1494]: ../../../bin/named/config.c: option 'trust-anchor-telemetry' is experimental and subject to change in th>
Dec 05 04:11:16 zbox.home.lan named[1494]: loading configuration from '/etc/named.conf'
Dec 05 04:11:16 zbox.home.lan named[1494]: directory '/var/named' is not writable
Dec 05 04:11:16 zbox.home.lan named[1494]: /etc/named.conf:22: parsing failed: permission denied
Dec 05 04:11:16 zbox.home.lan named[1494]: loading configuration: permission denied
Dec 05 04:11:16 zbox.home.lan named[1494]: exiting (due to fatal error)
Dec 05 04:11:16 zbox.home.lan systemd[1]: named.service: Control process exited, code=exited, status=1/FAILURE
Dec 05 04:11:16 zbox.home.lan systemd[1]: named.service: Failed with result 'exit-code'.
Dec 05 04:11:16 zbox.home.lan systemd[1]: Failed to start named.service - Berkeley Internet Name Domain (DNS).

# Directory /var/named appears to be writable to named group

[jihood@zbox ~]$ sudo ls -ld /var/named/
drwxrwx--T. 5 root named 168 Dec  4 05:12 /var/named/

# File /etc/named.conf also appears writable to named group

[jihood@zbox ~]$ ls -l /etc/named.conf
-rw-rw----. 1 root named 2015 Dec  5 03:49 /etc/named.conf

# File contents of /var/named appear writable

[jihood@zbox ~]$ sudo ls -l /var/named
total 24
drw-rw----. 2 named named  127 Oct 23 13:27 data
drw-rw----. 2 named named  120 Oct 23 13:27 dynamic
-rw-rw----. 1 root  named 1611 Aug 26 03:23 home.lan.rev
-rw-rw----. 1 root  named 1685 Aug 26 03:23 home.lan.zone
-rw-rw----. 1 root  named 3312 Oct 23 13:28 named.ca
-rw-rw----. 1 root  named  152 Oct 23 13:28 named.empty
-rw-rw----. 1 root  named  152 Oct 23 13:28 named.localhost
-rw-rw----. 1 root  named  168 Oct 23 13:28 named.loopback
drw-rw----. 2 named named    6 Oct 23 13:27 slaves

# User named belongs to the named group

[jihood@zbox ~]$ getent group named
named:x:25:

# BIND is configured to run as named user

[jihood@zbox ~]$ sudo vi /usr/lib/systemd/system/named.service
[Unit]
Description=Berkeley Internet Name Domain (DNS)
Wants=nss-lookup.target
Wants=named-setup-rndc.service
Before=nss-lookup.target
After=named-setup-rndc.service
After=network.target

[Service]
Type=forking
Environment=NAMEDCONF=/etc/named.conf
EnvironmentFile=-/etc/sysconfig/named
Environment=KRB5_KTNAME=/etc/named.keytab
PIDFile=/run/named/named.pid

ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/bin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS
ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'

ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'

PrivateTmp=true
Restart=on-abnormal

[Install]
WantedBy=multi-user.target

# Contents of named.conf file (in case there is pertinent information in here I am overlooking)

[jihood@zbox ~]$ sudo cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

acl goodclients {
        192.168.0.0/24;
        localhost;
        localnets;
};

options {
        listen-on port 53 {
                127.0.0.1;
                192.168.50.74;
        };
        // listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        secroots-file   "/var/named/data/named.secroots";
        recursing-file  "/var/named/data/named.recursing";
        allow-query     { goodclients; };
        forwarders      {
                8.8.8.8;
                8.8.4.4;
        };

        /*
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable
           recursion.
         - If your recursive DNS server has a public IP address, you MUST enable access
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface
        */
        recursion yes;

        // dnssec-enable yes;
        // dnssec-validation yes;

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";

        /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
        include "/etc/crypto-policies/back-ends/bind.config";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "home.lan" IN {
        type master;
        file "home.lan.zone";
};

zone "50.168.192.in-addr.arpa" IN {
        type master;
        file "home.lan.rev";
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

Cause

Not yet known.

Please report a bug to Red Hat Bugzilla. Thanks.

grep sealert /var/log/messages,|grep named
Selinux is blocking it…or at least it was on mine. It provides the fix too

@volgclawtooth Please report the bug against selinux-policy, so that this can be fixed for everyone. Thanks.

Did this get a bugzilla entry?
I just hit it hard with an upgrade from Fedora 36 → 38.

See 2211935 – BIND won't start after upgrade from Fedora 36 to Fedora 37 or 38

I am looking for reproducing conditions. So far I only found it may happen on a system installed as F29 or earlier.