[OpenAFS] OpenAFS clients and _confined_ SELinux users

Jason Edgecombe jason@rampaginggeek.com
Mon, 25 Aug 2008 13:09:22 -0400


Chaskiel Grundman wrote:
> I'm going to be setting up a shell server in the next few months and
> would like to be able to use selinux to lock it down so I can worry
> about it less. Unfortunately, there's no policy that I know of that
> allows confined user roles (user_r, staff_r, sysadm_r) to access afs.
> Has anyone worked on such a thing? Completed it?
>
> There are 3 areas that would need to be covered:
> 1) keyring stuff (confined users cannot search their own keyrings. not
> openafs-specific)
> 2) Using the udp socket
> 3) reading/writing data in the cache (V* files, *Items files)
I have two shell servers running RHEL5 with AFS homedirs and selinux
enabled with the targeted policy. I had to enable the nfs_home_dirs
seboolean, but that's all I recall about getting things to work.

Are looking for a more restrictive policy to use with a policy other
than the targeted one?

Jason