| 1 |
Chris PeBenito wrote: |
| 2 |
|
| 3 |
>On Wed, 2006-01-25 at 12:56 +0100, Mivz wrote: |
| 4 |
> |
| 5 |
> |
| 6 |
>>I would like some comment on the policy, what can I do better. |
| 7 |
>>Is this a odd or nonstandard daemon configuration, or could it be |
| 8 |
>>integrated in the portage tree? |
| 9 |
>>I would be interested in maintaining this policy my self. |
| 10 |
>> |
| 11 |
>> |
| 12 |
> |
| 13 |
>If heimdal is supposed to work with LDAP, then its not nonstandard. |
| 14 |
>Nonstandard means moving file locations or gluing two programs together |
| 15 |
>that aren't normally associated with each other. As for the rules, they |
| 16 |
>seem reasonable except for the two rules I listed below, which are odd |
| 17 |
>since they deal with a user domain. It can't be integrated into portage |
| 18 |
>as we're working on switching over to reference policy [1], which has a |
| 19 |
>new organization. |
| 20 |
> |
| 21 |
>[1] http://marc.theaimsgroup.com/?l=gentoo-hardened&m=113433863728029&w=2 |
| 22 |
> |
| 23 |
> |
| 24 |
> |
| 25 |
>>plain text document attachment (heimdal-LDAP.te) |
| 26 |
>> |
| 27 |
>> |
| 28 |
>>#/tmp/krb5cc |
| 29 |
>>allow user_t local_login_tmp_t:file { read lock append }; |
| 30 |
>> |
| 31 |
>> |
| 32 |
I added this rule because pam_krb5 init's the krbcc and thus causes the |
| 33 |
/tmp/krbcc to be in the wrong security context. Also kinit and kdestroy |
| 34 |
loose access to /tmp/krbcc because of this. Is this a pam_krb5 bug, |
| 35 |
because it creates the /tmp/krbcc file in the wrong context, or a |
| 36 |
selinux-kerberos bug, because it does not handel the /tmp/krbcc file |
| 37 |
correct? |
| 38 |
|
| 39 |
>>#Needed for whoami / id to work. Else: "I have no name!" for ldap users. |
| 40 |
>>allow user_t nscd_var_run_t:dir search; |
| 41 |
>> |
| 42 |
>> |
| 43 |
This rule I have added because users added through ldap otherwise can't |
| 44 |
find there name. |
| 45 |
Whitout it the console shows a "I have no name!@host ~ $", like wise |
| 46 |
whoami and id can't find a user name. So that is probably a bug in |
| 47 |
nscd.te, which is in the base-policy. Should I also file a bug report on |
| 48 |
this? |
| 49 |
|
| 50 |
|
| 51 |
-- |
| 52 |
gentoo-hardened@g.o mailing list |
Archives