Description of problem: bind cannot access to /etc/krb5.keytab Version-Release number of selected component (if applicable): # rpm -qa bind* selinux* bind-utils-9.3.4-9.P1.el5 selinux-policy-2.4.6-170.el5 bind-libs-9.3.4-9.P1.el5 selinux-policy-targeted-2.4.6-170.el5 bind-9.3.4-9.P1.el5 How reproducible: always Steps to Reproduce: 1. start selinux enforcing mode 2. service named start Actual results: # ll /etc/krb5.keytab -Z -rw-rw-r-- root named system_u:object_r:krb5_keytab_t:s0 /etc/krb5.keytab named writes in /var/log/messages Nov 20 09:50:22 intel-d3c69-01 named[19512]: configuring TKEY: failure Nov 20 09:50:22 intel-d3c69-01 named[19512]: loading configuration: failure Nov 20 09:50:22 intel-d3c69-01 named[19512]: exiting (due to fatal error) in /var/log/audit/audit.log type=AVC msg=audit(1227191863.284:93): avc: denied { read } for pid=18527 comm="named" name="krb5.keytab" dev=dm-0 ino=54101486 scontext=root:system_r:named_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=fil Expected results: bind works Additional info: when I change cp /etc/krb5.keytab /etc/named.keytab plus change /etc/sysconfig/named bind can start and # ll /etc/named.keytab -rw-r--r-- 1 root root 392 Nov 20 09:47 /etc/named.keytab
Fixed in selinux-policy-2.4.6-192.el5
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-0163.html