Re: Proper location for slapd kerberos ticket cache

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 04/22/2015 12:56 PM, Lukas Vrabec wrote:
> Hi,
> 
> We have label for this called slapd_keytab_t. The problem is, there is
> no default path as you said.
> When you choose path (e.c /var/cache/openldap/) and label you as
> slapd_keytab_t, it should work.
> So, you just need label krb5cache file.
> 
> On 04/21/2015 10:01 PM, Jason L Tibbitts III wrote:
>> I'm running kerberized openldap, which means I need a kerberos keytab
>> and a ticket cache to provide to slapd.  The locations of these files
>> are passed to slapd in environment variables and there's no Fedora
>> default for the file locations. 

Where are created if you don't define it?

You could go with

krb5_host_rcache_t labeling for /var/cache/openldap.

>> (I guess there aren't too many people
>> running kerberized openldap.)  This means I'm free to choose the
>> locations, but selinux gets upset if I choose the "wrong" ones.
>>
>> The keytab is pretty much a fixed configuration file, and is fine to
>> live in /etc/openldap.  The ticket cache, however, must be periodically
>> renewed by a cron job, and must be mode 600 owned by the ldap user.  The
>> ldap user can't write to /etc/openldap, and I'd prefer not to allow it
>> to do so.  /etc/openldap isn't really the right place anyway.  The
>> "appropriate" place for this would generally be /var/cache/openldap, but
>> selinux won't let slapd read from there:
>>
>> type=AVC msg=audit(1429645682.010:32711): avc:  denied  { getattr } for
>> pid=9186 comm="slapd" path="/var/cache/openldap/slapd.krb5cache"
>> dev="dm-1" ino=131308 scontext=system_u:system_r:slapd_t:s0
>> tcontext=unconfined_u:object_r:var_t:s0 tclass=file permissive=0
>>
>> Now, I can obviously just run semanage and add an fcontext for that
>> location but if possible I'd like to pick something that doesn't require
>> me to do that for every deployment.  Is there a location I can use for
>> this that's allowed by policy currently?  Or can I get the default
>> policy modified to provide one?
>>
>> Thanks,
>>
>>   - J<
>> -- 
>> selinux mailing list
>> selinux@xxxxxxxxxxxxxxxxxxxxxxx
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 


-- 
Miroslav Grepl
Software Engineering, SELinux Solutions
Red Hat, Inc.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux