[OpenAFS] OpenAFS and SELinux?

Stephan.Wiesand@desy.de Stephan.Wiesand@desy.de
Fri, 28 Mar 2008 08:52:51 +0100 (CET)

On Fri, 28 Mar 2008, Joshua Hutchins wrote:

> I'm looking for ways to improve the security of some of our servers- one
> in particular which runs mail as well as an AFS fileserver.  I'm
> concerned that a hacked mail server could lead to compromise of the
> server key, which would then compromise the entire cluster.  SELinux
> would be able to keep the file server key safe from other processes, but
> I don't know if it would play nicely with AFS.  Has anyone tried running
> OpenAFS under SELinux, and if so, does it work well?

Yes, at least if the server runs in the unconfined_t domain (which is no 
longer cpmpletely unconfined on EL5 - I guess this is about Red Hat 
Enterprise Linux or a clone?). Just "chcon -t unconfined_exec_t" the init 
script. On EL4, you'll have to use runcon inside the script instead. I 
think the server also works fine without all this at least on EL4, but 
who knows.

Stephan Wiesand
   DESY - DV -
   Platanenallee 6
   15738 Zeuthen, Germany