Bug 859231

Summary: krb5-server-1.9-33.el6_3.3.x86_64 prevents named from starting when selinux is enforcing
Product: Red Hat Enterprise Linux 6 Reporter: Sigbjorn Lie <sigbjorn>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: high    
Version: 6.3CC: dpal, dwalsh, jplans, mgrepl, mmalik, nc, pspacek, rcritten
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-166.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 08:30:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sigbjorn Lie 2012-09-20 20:43:39 UTC 
Description of problem:
krb5-server-1.9-33.el6_3.3.x86_64 prevents named from starting when selinux is enforcing

See  https://www.redhat.com/archives/freeipa-users/2012-September/msg00254.html for details.

Version-Release number of selected component (if applicable):
1.9-33.el6_3.3

How reproducible:
Every time named is restarted. Tested on 3 different hosts.

Steps to Reproduce:
1. Use IPA / FreeIPA
2. Upgrade krb5 to 1.9-33.el6_3.3
3. Attempt to start named
  
Actual results:
named fails to start.

Expected results:
named should start.

Additional info:
Comment 2 Najmuddin Chirammal 2012-09-27 14:06:03 UTC 
The issue is not specific to krb5-server-1.9-33.el6_3.3.x86_64.

steps to re-produce: 

* Disable selinux & reboot the machine  
# rm /var/tmp/DNS_25 (if was created earlier)
* start ipa (or named)
	it creates a DNS_25 with no context
* enable selinux 
* reboot the machine
	since there was no context created for DNS_25, system sets the default tmp_t[1]

* start ipa (or named)
	if selinux is enforcing named wont start

* remove the file DNS_25
start named again.. it'll create the file with correct context.[2]

[1] -rw-------. named  named  system_u:object_r:tmp_t:s0       DNS_25

[2] -rw-------. named  named  unconfined_u:object_r:named_tmp_t:s0 DNS_25
Comment 4 Daniel Walsh 2012-09-28 09:43:15 UTC 
bfdad301c406d5d27270ae5d66bc2bb0683b5a6e fixes this problem in Fedora 18.

For RHEL6 you have to add 

/var/tmp/DNS_25                           gen_context(system_u:object_r:named_tmp_t,s0)

Then the relabel should fix it.

In RHEl7 this will be labeled as kerberos content.
Comment 9 errata-xmlrpc 2013-02-21 08:30:40 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0314.html