Bug 859231 - krb5-server-1.9-33.el6_3.3.x86_64 prevents named from starting when selinux is enforcing
krb5-server-1.9-33.el6_3.3.x86_64 prevents named from starting when selinux i...
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
All Linux
high Severity high
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
Depends On:
  Show dependency treegraph
Reported: 2012-09-20 16:43 EDT by Sigbjorn Lie
Modified: 2013-02-21 03:30 EST (History)
8 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-166.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-02-21 03:30:40 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:0314 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2013-02-20 15:35:01 EST

  None (edit)
Description Sigbjorn Lie 2012-09-20 16:43:39 EDT
Description of problem:
krb5-server-1.9-33.el6_3.3.x86_64 prevents named from starting when selinux is enforcing

See  https://www.redhat.com/archives/freeipa-users/2012-September/msg00254.html for details.

Version-Release number of selected component (if applicable):

How reproducible:
Every time named is restarted. Tested on 3 different hosts.

Steps to Reproduce:
1. Use IPA / FreeIPA
2. Upgrade krb5 to 1.9-33.el6_3.3
3. Attempt to start named
Actual results:
named fails to start.

Expected results:
named should start.

Additional info:
Comment 2 Najmuddin Chirammal 2012-09-27 10:06:03 EDT
The issue is not specific to krb5-server-1.9-33.el6_3.3.x86_64.

steps to re-produce: 

* Disable selinux & reboot the machine  
# rm /var/tmp/DNS_25 (if was created earlier)
* start ipa (or named)
	it creates a DNS_25 with no context
* enable selinux 
* reboot the machine
	since there was no context created for DNS_25, system sets the default tmp_t[1]

* start ipa (or named)
	if selinux is enforcing named wont start

* remove the file DNS_25
start named again.. it'll create the file with correct context.[2]

[1] -rw-------. named  named  system_u:object_r:tmp_t:s0       DNS_25

[2] -rw-------. named  named  unconfined_u:object_r:named_tmp_t:s0 DNS_25
Comment 4 Daniel Walsh 2012-09-28 05:43:15 EDT
bfdad301c406d5d27270ae5d66bc2bb0683b5a6e fixes this problem in Fedora 18.

For RHEL6 you have to add 

/var/tmp/DNS_25                           gen_context(system_u:object_r:named_tmp_t,s0)

Then the relabel should fix it.

In RHEl7 this will be labeled as kerberos content.
Comment 9 errata-xmlrpc 2013-02-21 03:30:40 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.