If the 'proxy user' configuation option is set in the [gssproxy] section then
GSS Proxy will drop privileges to the specified after setting up all the
sockets.

Care must be taken to make sure all the resources the daemon need access to
(keytabs, ccache directories, etc..) are accessible as the proxy user.

Implements: https://fedorahosted.org/gss-proxy/ticket/102

Signed-off-by: Simo Sorce <simo@redhat.com>

Resolves: https://fedorahosted.org/gss-proxy/ticket/109

Reviewed-by: Günther Deschner <gdeschner@redhat.com>

By setting the impersonate flag to true, the acquisition of credentials will
be done using constrained delegation (s4uself + s4u2proxy).

To work this needs MIT Kereberos 1.11.4 or later.
Previous versions have a bug in the import_cred function that prevents the
library from properly importing previously exported delegated credentials.

Resolves: https://fedorahosted.org/gss-proxy/ticket/95

Reviewed-by: Günther Deschner <gdeschner@redhat.com>

Reviewed-by: Günther Deschner <gdeschner@redhat.com>

Reviewed-by: Günther Deschner <gdeschner@redhat.com>

Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>

Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>

LOCAL_FIRST is our default

Reviewed-by: Günther Deschner <gdeschner@redhat.com>

Using getpeercon we can know the elinux context of the process talking to
gssproxy. Use this information as an optional additional filter to match
processes to service definitions.
If a selinux_context option with a full user;role;type context is specified
into a service section, then the connecting process must also be running under
the specified selinux context in order to be allowed to connect.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>