From 4474bf5d9bb8830fecdb91774f6a3540a7c788da Mon Sep 17 00:00:00 2001
From: "Robbie Harwood (frozencemetery)" <rharwood@redhat.com>
Date: Tue, 18 Aug 2015 15:41:49 -0400
Subject: Specify KRB5RCACHEDIR in systemd unit file

Moving out of /var/tmp allows for improved separation with selinux and fixes
an AVC denial.

Signed-off-by: Robbie Harwood (frozencemetery) <rharwood@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/gss-proxy/ticket/145
Ticket: https://fedorahosted.org/gss-proxy/ticket/130
Closes #1
---
 proxy/contrib/gssproxy.spec.in    | 2 ++
 proxy/systemd/gssproxy.service.in | 1 +
 2 files changed, 3 insertions(+)

diff --git a/proxy/contrib/gssproxy.spec.in b/proxy/contrib/gssproxy.spec.in
index 185317c..9ec1298 100644
--- a/proxy/contrib/gssproxy.spec.in
+++ b/proxy/contrib/gssproxy.spec.in
@@ -74,6 +74,7 @@ install -d -m755 %{buildroot}%{_sysconfdir}/gssproxy
 install -m644 examples/gssproxy.conf %{buildroot}%{_sysconfdir}/gssproxy/gssproxy.conf
 mkdir -p %{buildroot}%{_sysconfdir}/gss/mech.d
 install -m644 examples/mech %{buildroot}%{_sysconfdir}/gss/mech.d/gssproxy.conf
+mkdir -p %{buildroot}/var/lib/gssproxy/rcache
 
 %clean
 rm -rf %{buildroot}
@@ -88,6 +89,7 @@ rm -rf %{buildroot}
 %attr(700,root,root) %dir %{gpstatedir}/clients
 %attr(0600,root,root) %config(noreplace) /%{_sysconfdir}/gssproxy/gssproxy.conf
 %attr(0644,root,root) %config(noreplace) /%{_sysconfdir}/gss/mech.d/gssproxy.conf
+%attr(700,root,root) %dir /var/lib/gssproxy/rcache
 %{_libdir}/gssproxy/proxymech.so
 %{_mandir}/man5/gssproxy.conf.5*
 %{_mandir}/man8/gssproxy.8*
diff --git a/proxy/systemd/gssproxy.service.in b/proxy/systemd/gssproxy.service.in
index 7aa6785..dae39ee 100644
--- a/proxy/systemd/gssproxy.service.in
+++ b/proxy/systemd/gssproxy.service.in
@@ -6,6 +6,7 @@ Before=nfs-secure.service nfs-secure-server.service
 Requires=proc-fs-nfsd.mount
 
 [Service]
+Environment=KRB5RCACHEDIR=/var/lib/gssproxy/rcache
 ExecStart=@sbindir@/gssproxy -D
 # These two should be used with traditional UNIX forking daemons
 # consult systemd.service(5) for more details
-- 
cgit