Hello,
I have created a SELinux policy file for heimdal with LDAP support. It
also has the rulse to make pam_krb5 for heimdal and passwd work and to
let slapd use saslauth.
This makes a good central authenticating environment posible under SELinux.
It is based on the openldap, kerberos and saslauth policy files.
I would like some comment on the policy, what can I do better.
Is this a odd or nonstandard daemon configuration, or could it be
integrated in the portage tree?
I would be interested in maintaining this policy my self.
Mivz
#heimdal
daemon_domain(kpasswdd)
type kpasswd_exec_t, file_type, exec_type;
type slapd_keytab_t, file_type, sysadmfile;
#heimdal kpasswdd
can_network_server(kpasswdd_t)
allow kpasswdd_t slapd_t:unix_stream_socket connectto;
allow kpasswdd_t self:unix_dgram_socket { create connect write };
allow kpasswdd_t self:unix_stream_socket { connect create getattr read write };
allow kpasswdd_t self:capability net_bind_service;
allow kpasswdd_t self:netlink_route_socket { create bind getattr read write
nlmsg_read };
#/var/run/openldap/slapd.sock
allow kpasswdd_t slapd_var_run_t:dir search;
allow kpasswdd_t slapd_var_run_t:sock_file write;
#m-key / acl
allow kpasswdd_t krb5kdc_conf_t:file { read lock getattr };
#/etc/krb5.conf
allow kpasswdd_t krb5_conf_t:file { read getattr };
#/etc/nsswitch.conf
allow kpasswdd_t etc_t:file read;
#kpasswdd port is kerberos_admin_port 464
allow kpasswdd_t kerberos_admin_port_t:{ udp_socket tcp_socket } name_bind;
#heimdal kdc LDAP backend
allow krb5kdc_t slapd_t:unix_stream_socket connectto;
allow krb5kdc_t slapd_var_run_t:dir search;
allow krb5kdc_t slapd_var_run_t:sock_file write;
#pam_krb5
allow local_login_t device_t:chr_file { relabelfrom relabelto };
allow local_login_t krb5_keytab_t:file { lock read };
allow local_login_t self:netlink_route_socket { bind create getattr nlmsg_read
read write };
#saslauth
allow saslauthd_t krb5_keytab_t:file { lock read };
allow saslauthd_t self:netlink_route_socket { create bind read getattr write
nlmsg_read };
allow slapd_t saslauthd_var_run_t:dir search;
allow slapd_t saslauthd_t:unix_stream_socket connectto;
allow slapd_t saslauthd_var_run_t:sock_file write;
#slapd
#/etc/openldap/ldap.keytab
allow slapd_t slapd_keytab_t:file { lock read };
#/etc/krb5.conf
allow slapd_t krb5_conf_t:file { read getattr };
#kadmind
allow kadmind_t self:process setpgid; #??? stays root, but crashes without?
#passwd
can_network_server(passwd_t)
allow passwd_t krb5_conf_t:file { getattr read };
allow passwd_t self:netlink_route_socket { read nlmsg_read write getattr bind
create };
allow passwd_t sysctl_kernel_t:dir search;
allow passwd_t sysctl_kernel_t:file read;
allow passwd_t self:tcp_socket connect;
allow passwd_t ldap_port_t:tcp_socket name_connect;
#/tmp/krb5cc
allow user_t local_login_tmp_t:file { read lock append };
#Needed for whoami / id to work. Else: "I have no name!" for ldap users.
allow user_t nscd_var_run_t:dir search;
# gentoo file locations heimdal
/usr/sbin/kdc -- system_u:object_r:krb5kdc_exec_t
/usr/sbin/kpasswdd --
system_u:object_r:kpasswdd_exec_t
/usr/sbin/kpasswd -- system_u:object_r:kpasswd_exec_t
/var/heimdal/kadmind.acl -- system_u:object_r:krb5kdc_conf_t
/var/heimdal/m-key -- system_u:object_r:krb5kdc_conf_t
#slapd keytab
/etc/openldap/ldap.keytab -- system_u:object_r:slapd_keytab_t
