[OpenAFS] OpenAFS and SELinux?

Christopher D. Clausen cclausen@acm.org
Sun, 30 Mar 2008 17:14:55 -0500

Jason Edgecombe <jason@rampaginggeek.com> wrote:
> Joshua Hutchins wrote:
>> Harald Barth wrote:
>>>> I'm concerned that a hacked mail server could lead to compromise of
>>>> the server key, which would then compromise the entire cluster.
>>> I know that there are folks out there which deliver email into AFS
>>> and not all of you do it by distributing the server key to the email
>>> server, don't you? So how do you do it?

I was doing this by having seperate mail.<user> volumes with an ACL 
allowing the mail server itself (not an IP ACL, a keytab used by k5start 
was created) to create, insert, lookup, etc. in specific directories as 
required by the mail server.  The seperate volume was needed to NOT 
grant users "a" to prevent someone who knows what they were doing from 
mounting another user's mail volume under their own and reading the 
contents.  It was also done to mount these volumes at a specific 
location and have the mail server chroot there.  This also required 
disabling exec-ings commands with procmail and .forward files and other 
precautions to prevent access to other user's data.  It also required 
using the maildir format, as MBOX files don't work so well in AFS.

The IMAP server I was using (dovecot) supported PAM and one could 
actually have it obtain tokens on behalf of the user in order to read / 
delete email.

This worked for me but it was slow and I do not have a lot of email. 
This setup has also been taken down as there were very few people who 
cared about it.

> I would highly recommend splitting the mail server from the file
> server. Use Xen/VMware or something else to make two virtuals if you
> don't have a spare box.
> selinux works fine with OpenAFS clients, but I haven't run it on
> servers before.

I too would recomend NOT running the email server on an AFS fileserver 
directly.  (Or nearly any other service, with the possible exceptions of 
a KDC or an AFS backup process.)