[389-devel] Please Review: (529909) Update SELinux policy for SASL GSSAPI

[Nathan Kinder <nkinder@xxxxxxxxxx>]

>From 027e8a4fbd4761a5c7ae4a9cc82befe4741e2dd5 Mon Sep 17 00:00:00 2001
From: Nathan Kinder <nkinder@xxxxxxxxxx>
Date: Fri, 30 Oct 2009 08:44:34 -0700
Subject: [PATCH] 529909 - Update SELinux policy for SASL GSSAPI

The dirsrv SELinux policy needs some changes to allow SASL GSSAPI
authentication to work.  We need to allow ns-slapd to read the
krb5.conf file and to create the in memory credentials cache.  The
kerberos libraries also attempt to open the krb5.conf in write mode,
so we need to prevent those attempts from being audited.
---
 selinux/dirsrv.te |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

diff --git a/selinux/dirsrv.te b/selinux/dirsrv.te
index 6dcabe1..60901f2 100644
--- a/selinux/dirsrv.te
+++ b/selinux/dirsrv.te
@@ -85,7 +85,7 @@ libs_use_shared_libs(dirsrv_t)
 allow dirsrv_t self:fifo_file { read write };
 
 # process stuff
-allow dirsrv_t self:process { getsched setsched signal_perms};
+allow dirsrv_t self:process { getsched setsched setfscreate signal_perms};
 allow dirsrv_t self:capability { sys_nice setuid setgid chown dac_override fowner };
 
 # semaphores
@@ -132,6 +132,10 @@ files_tmp_filetrans(dirsrv_t, dirsrv_tmp_t, { file dir })
 fs_getattr_all_fs(dirsrv_t)
 kernel_read_system_state(dirsrv_t)
 
+# kerberos config for SASL GSSAPI
+kerberos_read_config(dirsrv_t)
+kerberos_dontaudit_write_config(dirsrv_t)
+
 # Networking basics
 sysnet_dns_name_resolve(dirsrv_t)
 corenet_all_recvfrom_unlabeled(dirsrv_t)
-- 
1.6.2.5

--
389-devel mailing list
389-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-devel