Proper location for slapd kerberos ticket cache
Jason L Tibbitts III
tibbs at math.uh.edu
Tue Apr 21 20:01:11 UTC 2015
I'm running kerberized openldap, which means I need a kerberos keytab
and a ticket cache to provide to slapd. The locations of these files
are passed to slapd in environment variables and there's no Fedora
default for the file locations. (I guess there aren't too many people
running kerberized openldap.) This means I'm free to choose the
locations, but selinux gets upset if I choose the "wrong" ones.
The keytab is pretty much a fixed configuration file, and is fine to
live in /etc/openldap. The ticket cache, however, must be periodically
renewed by a cron job, and must be mode 600 owned by the ldap user. The
ldap user can't write to /etc/openldap, and I'd prefer not to allow it
to do so. /etc/openldap isn't really the right place anyway. The
"appropriate" place for this would generally be /var/cache/openldap, but
selinux won't let slapd read from there:
type=AVC msg=audit(1429645682.010:32711): avc: denied { getattr } for
pid=9186 comm="slapd" path="/var/cache/openldap/slapd.krb5cache"
dev="dm-1" ino=131308 scontext=system_u:system_r:slapd_t:s0
tcontext=unconfined_u:object_r:var_t:s0 tclass=file permissive=0
Now, I can obviously just run semanage and add an fcontext for that
location but if possible I'd like to pick something that doesn't require
me to do that for every deployment. Is there a location I can use for
this that's allowed by policy currently? Or can I get the default
policy modified to provide one?
Thanks,
- J<
More information about the selinux
mailing list