Proper location for slapd kerberos ticket cache

[Lukas Vrabec]

Hi,

We have label for this called slapd_keytab_t. The problem is, there is 
no default path as you said.
When you choose path (e.c /var/cache/openldap/) and label you as 
slapd_keytab_t, it should work.
So, you just need label krb5cache file.

On 04/21/2015 10:01 PM, Jason L Tibbitts III wrote:
> I'm running kerberized openldap, which means I need a kerberos keytab
> and a ticket cache to provide to slapd.  The locations of these files
> are passed to slapd in environment variables and there's no Fedora
> default for the file locations.  (I guess there aren't too many people
> running kerberized openldap.)  This means I'm free to choose the
> locations, but selinux gets upset if I choose the "wrong" ones.
>
> The keytab is pretty much a fixed configuration file, and is fine to
> live in /etc/openldap.  The ticket cache, however, must be periodically
> renewed by a cron job, and must be mode 600 owned by the ldap user.  The
> ldap user can't write to /etc/openldap, and I'd prefer not to allow it
> to do so.  /etc/openldap isn't really the right place anyway.  The
> "appropriate" place for this would generally be /var/cache/openldap, but
> selinux won't let slapd read from there:
>
> type=AVC msg=audit(1429645682.010:32711): avc:  denied  { getattr } for
> pid=9186 comm="slapd" path="/var/cache/openldap/slapd.krb5cache"
> dev="dm-1" ino=131308 scontext=system_u:system_r:slapd_t:s0
> tcontext=unconfined_u:object_r:var_t:s0 tclass=file permissive=0
>
> Now, I can obviously just run semanage and add an fcontext for that
> location but if possible I'd like to pick something that doesn't require
> me to do that for every deployment.  Is there a location I can use for
> this that's allowed by policy currently?  Or can I get the default
> policy modified to provide one?
>
> Thanks,
>
>   - J<
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-- 
Lukas Vrabec
SELinux Solutions
Red Hat, Inc.