1 |
Chris PeBenito wrote: |
2 |
|
3 |
>On Wed, 2006-01-25 at 12:56 +0100, Mivz wrote: |
4 |
> |
5 |
> |
6 |
>>I would like some comment on the policy, what can I do better. |
7 |
>>Is this a odd or nonstandard daemon configuration, or could it be |
8 |
>>integrated in the portage tree? |
9 |
>>I would be interested in maintaining this policy my self. |
10 |
>> |
11 |
>> |
12 |
> |
13 |
>If heimdal is supposed to work with LDAP, then its not nonstandard. |
14 |
>Nonstandard means moving file locations or gluing two programs together |
15 |
>that aren't normally associated with each other. As for the rules, they |
16 |
>seem reasonable except for the two rules I listed below, which are odd |
17 |
>since they deal with a user domain. It can't be integrated into portage |
18 |
>as we're working on switching over to reference policy [1], which has a |
19 |
>new organization. |
20 |
> |
21 |
>[1] http://marc.theaimsgroup.com/?l=gentoo-hardened&m=113433863728029&w=2 |
22 |
> |
23 |
> |
24 |
> |
25 |
>>plain text document attachment (heimdal-LDAP.te) |
26 |
>> |
27 |
>> |
28 |
>>#/tmp/krb5cc |
29 |
>>allow user_t local_login_tmp_t:file { read lock append }; |
30 |
>> |
31 |
>> |
32 |
I added this rule because pam_krb5 init's the krbcc and thus causes the |
33 |
/tmp/krbcc to be in the wrong security context. Also kinit and kdestroy |
34 |
loose access to /tmp/krbcc because of this. Is this a pam_krb5 bug, |
35 |
because it creates the /tmp/krbcc file in the wrong context, or a |
36 |
selinux-kerberos bug, because it does not handel the /tmp/krbcc file |
37 |
correct? |
38 |
|
39 |
>>#Needed for whoami / id to work. Else: "I have no name!" for ldap users. |
40 |
>>allow user_t nscd_var_run_t:dir search; |
41 |
>> |
42 |
>> |
43 |
This rule I have added because users added through ldap otherwise can't |
44 |
find there name. |
45 |
Whitout it the console shows a "I have no name!@host ~ $", like wise |
46 |
whoami and id can't find a user name. So that is probably a bug in |
47 |
nscd.te, which is in the base-policy. Should I also file a bug report on |
48 |
this? |
49 |
|
50 |
|
51 |
-- |
52 |
gentoo-hardened@g.o mailing list |