[Freeipa-users] krb5-server-1.9-33.el6_3.3.x86_64 prevents named from starting when selinux is enforcing
Rob Crittenden
rcritten at redhat.com
Thu Sep 20 20:34:36 UTC 2012
Sigbjorn Lie wrote:
> On 09/20/2012 10:17 PM, Rob Crittenden wrote:
>> bind isn't my strongest suite.
>>
>> My guess is that this file is the ccache for bind. I'm guessing that
>> 25 is the UID of the named user. If this is the case, then it should
>> be safe to stop named, rename the file, and restart. Perhaps the
>> contexts have changed so when this gets re-created it will get fixed
>> automagically.
>>
>> rob
>>
> You guessed well!! :)
>
> Stop named:
> # service named stop
>
> Enable selinux:
> # setenforce 1
>
> Verify that error still exists:
> # service named start
> Starting named: [FAILED]
>
> Rename file:
> # cd /var/tmp
> # mv DNS_25 DNS_25_old
>
> Attempt to start named again:
> # service named start
> Starting named: [ OK ]
>
> Voila!
>
> A before and after shot:
> # ls -lZ DNS_25*
> -rw-------. named named unconfined_u:object_r:named_tmp_t:s0 DNS_25
> -rw-------. named named system_u:object_r:tmp_t:s0 DNS_25_old
>
> What's the odds that this was the entire issue and that named will now
> keep running safe and sound?
>
Hard to say. Because restorecon didn't fix the bad context I suspect
this isn't directly covered in policy. So if the file should get the
wrong context again you could be back in this position. It is probably
worth filing a bug. I'm not entirely sure whether it should be against
bind or selinux, but it'll get to the right folks either way eventually.
rob
More information about the Freeipa-users
mailing list