Hi,
We have label for this called slapd_keytab_t. The problem is, there is
no default path as you said.
When you choose path (e.c /var/cache/openldap/) and label you as
slapd_keytab_t, it should work.
So, you just need label krb5cache file.
On 04/21/2015 10:01 PM, Jason L Tibbitts III wrote:
I'm running kerberized openldap, which means I need a kerberos keytab
and a ticket cache to provide to slapd. The locations of these files
are passed to slapd in environment variables and there's no Fedora
default for the file locations. (I guess there aren't too many people
running kerberized openldap.) This means I'm free to choose the
locations, but selinux gets upset if I choose the "wrong" ones.
The keytab is pretty much a fixed configuration file, and is fine to
live in /etc/openldap. The ticket cache, however, must be periodically
renewed by a cron job, and must be mode 600 owned by the ldap user. The
ldap user can't write to /etc/openldap, and I'd prefer not to allow it
to do so. /etc/openldap isn't really the right place anyway. The
"appropriate" place for this would generally be /var/cache/openldap, but
selinux won't let slapd read from there:
type=AVC msg=audit(1429645682.010:32711): avc: denied { getattr } for
pid=9186 comm="slapd" path="/var/cache/openldap/slapd.krb5cache"
dev="dm-1" ino=131308 scontext=system_u:system_r:slapd_t:s0
tcontext=unconfined_u:object_r:var_t:s0 tclass=file permissive=0
Now, I can obviously just run semanage and add an fcontext for that
location but if possible I'd like to pick something that doesn't require
me to do that for every deployment. Is there a location I can use for
this that's allowed by policy currently? Or can I get the default
policy modified to provide one?
Thanks,
- J<
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
--
Lukas Vrabec
SELinux Solutions
Red Hat, Inc.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
