Proper location for slapd kerberos ticket cache
Miroslav Grepl
mgrepl at redhat.com
Fri Apr 24 12:09:10 UTC 2015
On 04/22/2015 12:56 PM, Lukas Vrabec wrote:
> Hi,
>
> We have label for this called slapd_keytab_t. The problem is, there is
> no default path as you said.
> When you choose path (e.c /var/cache/openldap/) and label you as
> slapd_keytab_t, it should work.
> So, you just need label krb5cache file.
>
> On 04/21/2015 10:01 PM, Jason L Tibbitts III wrote:
>> I'm running kerberized openldap, which means I need a kerberos keytab
>> and a ticket cache to provide to slapd. The locations of these files
>> are passed to slapd in environment variables and there's no Fedora
>> default for the file locations.
Where are created if you don't define it?
You could go with
krb5_host_rcache_t labeling for /var/cache/openldap.
>> (I guess there aren't too many people
>> running kerberized openldap.) This means I'm free to choose the
>> locations, but selinux gets upset if I choose the "wrong" ones.
>>
>> The keytab is pretty much a fixed configuration file, and is fine to
>> live in /etc/openldap. The ticket cache, however, must be periodically
>> renewed by a cron job, and must be mode 600 owned by the ldap user. The
>> ldap user can't write to /etc/openldap, and I'd prefer not to allow it
>> to do so. /etc/openldap isn't really the right place anyway. The
>> "appropriate" place for this would generally be /var/cache/openldap, but
>> selinux won't let slapd read from there:
>>
>> type=AVC msg=audit(1429645682.010:32711): avc: denied { getattr } for
>> pid=9186 comm="slapd" path="/var/cache/openldap/slapd.krb5cache"
>> dev="dm-1" ino=131308 scontext=system_u:system_r:slapd_t:s0
>> tcontext=unconfined_u:object_r:var_t:s0 tclass=file permissive=0
>>
>> Now, I can obviously just run semanage and add an fcontext for that
>> location but if possible I'd like to pick something that doesn't require
>> me to do that for every deployment. Is there a location I can use for
>> this that's allowed by policy currently? Or can I get the default
>> policy modified to provide one?
>>
>> Thanks,
>>
>> - J<
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
--
Miroslav Grepl
Software Engineering, SELinux Solutions
Red Hat, Inc.
More information about the selinux
mailing list