[selinux-policy: 2155/3172] kerberos patch from dan
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:11:31 UTC 2010
commit 4aa075262ae683ab61b6c9c82fb16114d6f32348
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Mon Jul 20 15:41:08 2009 -0400
kerberos patch from dan
policy/modules/services/kerberos.fc | 8 ++++++--
policy/modules/services/kerberos.if | 6 +++++-
policy/modules/services/kerberos.te | 8 +++++++-
3 files changed, 18 insertions(+), 4 deletions(-)
---
diff --git a/policy/modules/services/kerberos.fc b/policy/modules/services/kerberos.fc
index 8046831..3525d24 100644
--- a/policy/modules/services/kerberos.fc
+++ b/policy/modules/services/kerberos.fc
@@ -1,3 +1,6 @@
+HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
+/root/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
+
/etc/krb5\.conf -- gen_context(system_u:object_r:krb5_conf_t,s0)
/etc/krb5\.keytab gen_context(system_u:object_r:krb5_keytab_t,s0)
@@ -6,13 +9,14 @@
/etc/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
/etc/rc\.d/init\.d/kadmind -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/kpropd -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/kprop -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/usr/(local/)?(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
/usr/(local/)?(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
/usr/kerberos/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0)
+/usr/kerberos/sbin/kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0)
/usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
/usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
@@ -21,7 +25,7 @@
/var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0)
/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
/var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
-/var/kerberos/krb5kdc/principal\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0)
+/var/kerberos/krb5kdc/principal.*\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0)
/var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0)
/var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0)
diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
index 82b9929..db5ca26 100644
--- a/policy/modules/services/kerberos.if
+++ b/policy/modules/services/kerberos.if
@@ -70,6 +70,7 @@ interface(`kerberos_domtrans_kpropd',`
interface(`kerberos_use',`
gen_require(`
type krb5_conf_t, krb5kdc_conf_t;
+ type krb5_host_rcache_t;
')
files_search_etc($1)
@@ -101,6 +102,8 @@ interface(`kerberos_use',`
corenet_tcp_connect_ocsp_port($1)
corenet_sendrecv_kerberos_client_packets($1)
corenet_sendrecv_ocsp_client_packets($1)
+
+ allow $1 krb5_host_rcache_t:file getattr;
')
optional_policy(`
@@ -123,11 +126,12 @@ interface(`kerberos_use',`
#
interface(`kerberos_read_config',`
gen_require(`
- type krb5_conf_t;
+ type krb5_conf_t, krb5_home_t;
')
files_search_etc($1)
allow $1 krb5_conf_t:file read_file_perms;
+ allow $1 krb5_home_t:file read_file_perms;
')
########################################
diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te
index da70318..75bade1 100644
--- a/policy/modules/services/kerberos.te
+++ b/policy/modules/services/kerberos.te
@@ -1,5 +1,5 @@
-policy_module(kerberos, 1.9.3)
+policy_module(kerberos, 1.9.4)
########################################
#
@@ -33,10 +33,14 @@ init_script_file(kerberos_initrc_exec_t)
type kpropd_t;
type kpropd_exec_t;
init_daemon_domain(kpropd_t, kpropd_exec_t)
+domain_obj_id_change_exemption(kpropd_t)
type krb5_conf_t;
files_type(krb5_conf_t)
+type krb5_home_t;
+userdom_user_home_content(krb5_home_t)
+
type krb5_host_rcache_t;
files_tmp_file(krb5_host_rcache_t)
@@ -281,6 +285,8 @@ allow kpropd_t krb5_host_rcache_t:file rw_file_perms;
allow kpropd_t krb5_keytab_t:file read_file_perms;
+manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t)
+
manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_principal_t)
corecmd_exec_bin(kpropd_t)
More information about the scm-commits
mailing list