I had to abort an exercise I gave students last night during a BIND training, because after adding

allow-new-zones yes;

and reconfiguring a running BIND 9.16 server, the process complained it couldn’t open _default.nzd. (If compiled with LMDB support, BIND uses the memory-mapped database for storing new zone definitions instead of the “old” .nzf file.)

We run these training systems with SELinux enabled (I wouldn’t, but my colleague likes it :-), and that’s the reason I aborted the lab: I couldn’t tell students how to solve the cause other than by disabling SELinux entirely, but there wasn’t enough time for that.

After getting a good pointer on Twitter (thank you Howard, Stef, and Evgeni), I saw this:

#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow named_t named_zone_t:file map;

The comment contained “boolean”, which I recognized, so I was able to fix the issue an hour after the training. The command

setsebool -P domain_can_mmap_files 1

has now found its way into the setup playbooks for these machines.