472373 – bind cannot access to /etc/krb5.keytab

Bug 472373 - bind cannot access to /etc/krb5.keytab

Summary: bind cannot access to /etc/krb5.keytab

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	5.4
Hardware:	All
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Daniel Walsh
QA Contact:	BaseOS QE
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-11-20 14:59 UTC by Petr Sklenar
Modified:	2012-10-16 08:45 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-01-20 21:30:03 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2009:0163	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2009-01-20 16:05:21 UTC

Description Petr Sklenar 2008-11-20 14:59:08 UTC

Description of problem:
bind cannot access to /etc/krb5.keytab

Version-Release number of selected component (if applicable):
# rpm -qa bind* selinux*
bind-utils-9.3.4-9.P1.el5
selinux-policy-2.4.6-170.el5
bind-libs-9.3.4-9.P1.el5
selinux-policy-targeted-2.4.6-170.el5
bind-9.3.4-9.P1.el5


How reproducible:
always

Steps to Reproduce:
1. start selinux enforcing mode
2. service named start
  
Actual results:
# ll /etc/krb5.keytab -Z
-rw-rw-r--  root named system_u:object_r:krb5_keytab_t:s0 /etc/krb5.keytab

named writes in /var/log/messages
Nov 20 09:50:22 intel-d3c69-01 named[19512]: configuring TKEY: failure
Nov 20 09:50:22 intel-d3c69-01 named[19512]: loading configuration: failure
Nov 20 09:50:22 intel-d3c69-01 named[19512]: exiting (due to fatal error)

in /var/log/audit/audit.log

type=AVC msg=audit(1227191863.284:93): avc:  denied  { read } for  pid=18527 comm="named" name="krb5.keytab" dev=dm-0 ino=54101486 scontext=root:system_r:named_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=fil

Expected results:
bind works

Additional info:
when I change cp /etc/krb5.keytab /etc/named.keytab
plus change /etc/sysconfig/named
bind can start and 
# ll /etc/named.keytab
-rw-r--r-- 1 root root 392 Nov 20 09:47 /etc/named.keytab

Comment 1 Daniel Walsh 2008-11-20 15:51:05 UTC

Fixed in selinux-policy-2.4.6-192.el5

Comment 8 errata-xmlrpc 2009-01-20 21:30:03 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-0163.html

Note You need to log in before you can comment on or make changes to this bug.