MIT Krb5 + SELinux

Sam Hartman hartmans at MIT.EDU
Wed Apr 14 12:02:46 EDT 2004


I cannot think of anything that Kerberos applications need other than
network and urandom.

The KDC does not need write access to the database, although of course
kadmind does.

You probably want to make it difficult for either the KDC or the
kadmind to execute other programs or switch domains to limit the
efficacy of a compromise.

--Sam



More information about the Kerberos mailing list