[Freeipa-users] krb5-server-1.9-33.el6_3.3.x86_64 prevents named from starting when selinux is enforcing
Sigbjorn Lie
sigbjorn at nixtra.com
Thu Sep 20 20:44:56 UTC 2012
On 09/20/2012 10:34 PM, Rob Crittenden wrote:
> Sigbjorn Lie wrote:
>> On 09/20/2012 10:17 PM, Rob Crittenden wrote:
>>> bind isn't my strongest suite.
>>>
>>> My guess is that this file is the ccache for bind. I'm guessing that
>>> 25 is the UID of the named user. If this is the case, then it should
>>> be safe to stop named, rename the file, and restart. Perhaps the
>>> contexts have changed so when this gets re-created it will get fixed
>>> automagically.
>>>
>>> rob
>>>
>> You guessed well!! :)
>>
>> Stop named:
>> # service named stop
>>
>> Enable selinux:
>> # setenforce 1
>>
>> Verify that error still exists:
>> # service named start
>> Starting named: [FAILED]
>>
>> Rename file:
>> # cd /var/tmp
>> # mv DNS_25 DNS_25_old
>>
>> Attempt to start named again:
>> # service named start
>> Starting named: [ OK ]
>>
>> Voila!
>>
>> A before and after shot:
>> # ls -lZ DNS_25*
>> -rw-------. named named unconfined_u:object_r:named_tmp_t:s0 DNS_25
>> -rw-------. named named system_u:object_r:tmp_t:s0 DNS_25_old
>>
>> What's the odds that this was the entire issue and that named will now
>> keep running safe and sound?
>>
>
> Hard to say. Because restorecon didn't fix the bad context I suspect
> this isn't directly covered in policy. So if the file should get the
> wrong context again you could be back in this position. It is probably
> worth filing a bug. I'm not entirely sure whether it should be against
> bind or selinux, but it'll get to the right folks either way eventually.
>
> rob
Filed to the krb people for now.
https://bugzilla.redhat.com/show_bug.cgi?id=859231
Regards,
Siggi
More information about the Freeipa-users
mailing list