Bug 472373 - bind cannot access to /etc/krb5.keytab
bind cannot access to /etc/krb5.keytab
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.4
All Linux
high Severity medium
: rc
: ---
Assigned To: Daniel Walsh
BaseOS QE
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-11-20 09:59 EST by Petr Sklenar
Modified: 2012-10-16 04:45 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-20 16:30:03 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Petr Sklenar 2008-11-20 09:59:08 EST
Description of problem:
bind cannot access to /etc/krb5.keytab

Version-Release number of selected component (if applicable):
# rpm -qa bind* selinux*
bind-utils-9.3.4-9.P1.el5
selinux-policy-2.4.6-170.el5
bind-libs-9.3.4-9.P1.el5
selinux-policy-targeted-2.4.6-170.el5
bind-9.3.4-9.P1.el5


How reproducible:
always

Steps to Reproduce:
1. start selinux enforcing mode
2. service named start
  
Actual results:
# ll /etc/krb5.keytab -Z
-rw-rw-r--  root named system_u:object_r:krb5_keytab_t:s0 /etc/krb5.keytab

named writes in /var/log/messages
Nov 20 09:50:22 intel-d3c69-01 named[19512]: configuring TKEY: failure
Nov 20 09:50:22 intel-d3c69-01 named[19512]: loading configuration: failure
Nov 20 09:50:22 intel-d3c69-01 named[19512]: exiting (due to fatal error)

in /var/log/audit/audit.log

type=AVC msg=audit(1227191863.284:93): avc:  denied  { read } for  pid=18527 comm="named" name="krb5.keytab" dev=dm-0 ino=54101486 scontext=root:system_r:named_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=fil

Expected results:
bind works

Additional info:
when I change cp /etc/krb5.keytab /etc/named.keytab
plus change /etc/sysconfig/named
bind can start and 
# ll /etc/named.keytab
-rw-r--r-- 1 root root 392 Nov 20 09:47 /etc/named.keytab
Comment 1 Daniel Walsh 2008-11-20 10:51:05 EST
Fixed in selinux-policy-2.4.6-192.el5
Comment 8 errata-xmlrpc 2009-01-20 16:30:03 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-0163.html

Note You need to log in before you can comment on or make changes to this bug.