[OpenAFS] OpenAFS clients and _confined_ SELinux users

Chaskiel Grundman cg2v@andrew.cmu.edu
Mon, 25 Aug 2008 12:45:31 -0400 (EDT)


I'm going to be setting up a shell server in the next few months and would 
like to be able to use selinux to lock it down so I can worry about it 
less. Unfortunately, there's no policy that I know of that allows confined 
user roles (user_r, staff_r, sysadm_r) to access afs. Has anyone worked on 
such a thing? Completed it?

There are 3 areas that would need to be covered:
1) keyring stuff (confined users cannot search their own keyrings. not 
openafs-specific)
2) Using the udp socket
3) reading/writing data in the cache (V* files, *Items files)

TIA.