diff options
author | Nathan Kinder <nkinder@redhat.com> | 2009-10-30 08:44:34 -0700 |
---|---|---|
committer | Nathan Kinder <nkinder@redhat.com> | 2009-10-30 08:44:34 -0700 |
commit | 027e8a4fbd4761a5c7ae4a9cc82befe4741e2dd5 (patch) | |
tree | e034d5ee8f3440f7c9cfbd2ff48517eb982d8020 /selinux | |
parent | b6263499b32d6a403dbe9da9297cd61f32706010 (diff) | |
download | ds-027e8a4fbd4761a5c7ae4a9cc82befe4741e2dd5.tar.gz ds-027e8a4fbd4761a5c7ae4a9cc82befe4741e2dd5.tar.xz ds-027e8a4fbd4761a5c7ae4a9cc82befe4741e2dd5.zip |
529909 - Update SELinux policy for SASL GSSAPI
The dirsrv SELinux policy needs some changes to allow SASL GSSAPI
authentication to work. We need to allow ns-slapd to read the
krb5.conf file and to create the in memory credentials cache. The
kerberos libraries also attempt to open the krb5.conf in write mode,
so we need to prevent those attempts from being audited.
Diffstat (limited to 'selinux')
-rw-r--r-- | selinux/dirsrv.te | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/selinux/dirsrv.te b/selinux/dirsrv.te index 6dcabe1f..60901f28 100644 --- a/selinux/dirsrv.te +++ b/selinux/dirsrv.te @@ -85,7 +85,7 @@ libs_use_shared_libs(dirsrv_t) allow dirsrv_t self:fifo_file { read write }; # process stuff -allow dirsrv_t self:process { getsched setsched signal_perms}; +allow dirsrv_t self:process { getsched setsched setfscreate signal_perms}; allow dirsrv_t self:capability { sys_nice setuid setgid chown dac_override fowner }; # semaphores @@ -132,6 +132,10 @@ files_tmp_filetrans(dirsrv_t, dirsrv_tmp_t, { file dir }) fs_getattr_all_fs(dirsrv_t) kernel_read_system_state(dirsrv_t) +# kerberos config for SASL GSSAPI +kerberos_read_config(dirsrv_t) +kerberos_dontaudit_write_config(dirsrv_t) + # Networking basics sysnet_dns_name_resolve(dirsrv_t) corenet_all_recvfrom_unlabeled(dirsrv_t) |