[OpenAFS] OpenAFS and SELinux?
Stephan.Wiesand@desy.de
Stephan.Wiesand@desy.de
Fri, 28 Mar 2008 08:52:51 +0100 (CET)
On Fri, 28 Mar 2008, Joshua Hutchins wrote:
> I'm looking for ways to improve the security of some of our servers- one
> in particular which runs mail as well as an AFS fileserver. I'm
> concerned that a hacked mail server could lead to compromise of the
> server key, which would then compromise the entire cluster. SELinux
> would be able to keep the file server key safe from other processes, but
> I don't know if it would play nicely with AFS. Has anyone tried running
> OpenAFS under SELinux, and if so, does it work well?
Yes, at least if the server runs in the unconfined_t domain (which is no
longer cpmpletely unconfined on EL5 - I guess this is about Red Hat
Enterprise Linux or a clone?). Just "chcon -t unconfined_exec_t" the init
script. On EL4, you'll have to use runcon inside the script instead. I
think the server also works fine without all this at least on EL4, but
who knows.
--
Stephan Wiesand
DESY - DV -
Platanenallee 6
15738 Zeuthen, Germany