diff options
| author | Robbie Harwood (frozencemetery) <rharwood@redhat.com> | 2015-08-18 15:41:49 -0400 |
|---|---|---|
| committer | Simo Sorce <simo@redhat.com> | 2015-08-18 17:53:17 -0400 |
| commit | 4474bf5d9bb8830fecdb91774f6a3540a7c788da (patch) | |
| tree | 991ee3af766213d1f927c661f5606add95d5b23b | |
| parent | 47d375b517db0dc9ad573ad7bafc9e266764a48a (diff) | |
| download | gss-proxy-4474bf5d9bb8830fecdb91774f6a3540a7c788da.tar.gz gss-proxy-4474bf5d9bb8830fecdb91774f6a3540a7c788da.tar.xz gss-proxy-4474bf5d9bb8830fecdb91774f6a3540a7c788da.zip | |
Specify KRB5RCACHEDIR in systemd unit file
Moving out of /var/tmp allows for improved separation with selinux and fixes
an AVC denial.
Signed-off-by: Robbie Harwood (frozencemetery) <rharwood@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Ticket: https://fedorahosted.org/gss-proxy/ticket/145
Ticket: https://fedorahosted.org/gss-proxy/ticket/130
Closes #1
| -rw-r--r-- | proxy/contrib/gssproxy.spec.in | 2 | ||||
| -rw-r--r-- | proxy/systemd/gssproxy.service.in | 1 |
2 files changed, 3 insertions, 0 deletions
diff --git a/proxy/contrib/gssproxy.spec.in b/proxy/contrib/gssproxy.spec.in index 185317c..9ec1298 100644 --- a/proxy/contrib/gssproxy.spec.in +++ b/proxy/contrib/gssproxy.spec.in @@ -74,6 +74,7 @@ install -d -m755 %{buildroot}%{_sysconfdir}/gssproxy install -m644 examples/gssproxy.conf %{buildroot}%{_sysconfdir}/gssproxy/gssproxy.conf mkdir -p %{buildroot}%{_sysconfdir}/gss/mech.d install -m644 examples/mech %{buildroot}%{_sysconfdir}/gss/mech.d/gssproxy.conf +mkdir -p %{buildroot}/var/lib/gssproxy/rcache %clean rm -rf %{buildroot} @@ -88,6 +89,7 @@ rm -rf %{buildroot} %attr(700,root,root) %dir %{gpstatedir}/clients %attr(0600,root,root) %config(noreplace) /%{_sysconfdir}/gssproxy/gssproxy.conf %attr(0644,root,root) %config(noreplace) /%{_sysconfdir}/gss/mech.d/gssproxy.conf +%attr(700,root,root) %dir /var/lib/gssproxy/rcache %{_libdir}/gssproxy/proxymech.so %{_mandir}/man5/gssproxy.conf.5* %{_mandir}/man8/gssproxy.8* diff --git a/proxy/systemd/gssproxy.service.in b/proxy/systemd/gssproxy.service.in index 7aa6785..dae39ee 100644 --- a/proxy/systemd/gssproxy.service.in +++ b/proxy/systemd/gssproxy.service.in @@ -6,6 +6,7 @@ Before=nfs-secure.service nfs-secure-server.service Requires=proc-fs-nfsd.mount [Service] +Environment=KRB5RCACHEDIR=/var/lib/gssproxy/rcache ExecStart=@sbindir@/gssproxy -D # These two should be used with traditional UNIX forking daemons # consult systemd.service(5) for more details |