Description of problem: krb5-server-1.9-33.el6_3.3.x86_64 prevents named from starting when selinux is enforcing See https://www.redhat.com/archives/freeipa-users/2012-September/msg00254.html for details. Version-Release number of selected component (if applicable): 1.9-33.el6_3.3 How reproducible: Every time named is restarted. Tested on 3 different hosts. Steps to Reproduce: 1. Use IPA / FreeIPA 2. Upgrade krb5 to 1.9-33.el6_3.3 3. Attempt to start named Actual results: named fails to start. Expected results: named should start. Additional info:
The issue is not specific to krb5-server-1.9-33.el6_3.3.x86_64. steps to re-produce: * Disable selinux & reboot the machine # rm /var/tmp/DNS_25 (if was created earlier) * start ipa (or named) it creates a DNS_25 with no context * enable selinux * reboot the machine since there was no context created for DNS_25, system sets the default tmp_t[1] * start ipa (or named) if selinux is enforcing named wont start * remove the file DNS_25 start named again.. it'll create the file with correct context.[2] [1] -rw-------. named named system_u:object_r:tmp_t:s0 DNS_25 [2] -rw-------. named named unconfined_u:object_r:named_tmp_t:s0 DNS_25
bfdad301c406d5d27270ae5d66bc2bb0683b5a6e fixes this problem in Fedora 18. For RHEL6 you have to add /var/tmp/DNS_25 gen_context(system_u:object_r:named_tmp_t,s0) Then the relabel should fix it. In RHEl7 this will be labeled as kerberos content.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0314.html