[selinux-policy: 2155/3172] kerberos patch from dan

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 22:11:31 UTC 2010 

commit 4aa075262ae683ab61b6c9c82fb16114d6f32348
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Mon Jul 20 15:41:08 2009 -0400

    kerberos patch from dan

 policy/modules/services/kerberos.fc |    8 ++++++--
 policy/modules/services/kerberos.if |    6 +++++-
 policy/modules/services/kerberos.te |    8 +++++++-
 3 files changed, 18 insertions(+), 4 deletions(-)
---
diff --git a/policy/modules/services/kerberos.fc b/policy/modules/services/kerberos.fc
index 8046831..3525d24 100644
--- a/policy/modules/services/kerberos.fc
+++ b/policy/modules/services/kerberos.fc
@@ -1,3 +1,6 @@
+HOME_DIR/\.k5login		--	gen_context(system_u:object_r:krb5_home_t,s0)
+/root/\.k5login			--	gen_context(system_u:object_r:krb5_home_t,s0)
+
 /etc/krb5\.conf			--	gen_context(system_u:object_r:krb5_conf_t,s0)
 /etc/krb5\.keytab			gen_context(system_u:object_r:krb5_keytab_t,s0)
 
@@ -6,13 +9,14 @@
 /etc/krb5kdc/principal.*		gen_context(system_u:object_r:krb5kdc_principal_t,s0)
 
 /etc/rc\.d/init\.d/kadmind	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/kpropd	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/kprop	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/krb524d	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/krb5kdc	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
 
 /usr/(local/)?(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
 /usr/(local/)?(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
 /usr/kerberos/sbin/kadmin\.local --	gen_context(system_u:object_r:kadmind_exec_t,s0)
+/usr/kerberos/sbin/kpropd	--	gen_context(system_u:object_r:kpropd_exec_t,s0)
 
 /usr/local/var/krb5kdc(/.*)?		gen_context(system_u:object_r:krb5kdc_conf_t,s0)
 /usr/local/var/krb5kdc/principal.*	gen_context(system_u:object_r:krb5kdc_principal_t,s0)
@@ -21,7 +25,7 @@
 /var/kerberos/krb5kdc/from_master.*	gen_context(system_u:object_r:krb5kdc_lock_t,s0)
 /var/kerberos/krb5kdc/kadm5\.keytab --	gen_context(system_u:object_r:krb5_keytab_t,s0)
 /var/kerberos/krb5kdc/principal.*	gen_context(system_u:object_r:krb5kdc_principal_t,s0)
-/var/kerberos/krb5kdc/principal\.ok	gen_context(system_u:object_r:krb5kdc_lock_t,s0)
+/var/kerberos/krb5kdc/principal.*\.ok	gen_context(system_u:object_r:krb5kdc_lock_t,s0)
 
 /var/log/krb5kdc\.log			gen_context(system_u:object_r:krb5kdc_log_t,s0)
 /var/log/kadmin(d)?\.log		gen_context(system_u:object_r:kadmind_log_t,s0)
diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
index 82b9929..db5ca26 100644
--- a/policy/modules/services/kerberos.if
+++ b/policy/modules/services/kerberos.if
@@ -70,6 +70,7 @@ interface(`kerberos_domtrans_kpropd',`
 interface(`kerberos_use',`
 	gen_require(`
 		type krb5_conf_t, krb5kdc_conf_t;
+		type krb5_host_rcache_t;
 	')
 
 	files_search_etc($1)
@@ -101,6 +102,8 @@ interface(`kerberos_use',`
 		corenet_tcp_connect_ocsp_port($1)
 		corenet_sendrecv_kerberos_client_packets($1)
 		corenet_sendrecv_ocsp_client_packets($1)
+
+		allow $1 krb5_host_rcache_t:file getattr;
 	')
 
 	optional_policy(`
@@ -123,11 +126,12 @@ interface(`kerberos_use',`
 #
 interface(`kerberos_read_config',`
 	gen_require(`
-		type krb5_conf_t;
+		type krb5_conf_t, krb5_home_t;
 	')
 
 	files_search_etc($1)
 	allow $1 krb5_conf_t:file read_file_perms;
+	allow $1 krb5_home_t:file read_file_perms;
 ')
 
 ########################################
diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te
index da70318..75bade1 100644
--- a/policy/modules/services/kerberos.te
+++ b/policy/modules/services/kerberos.te
@@ -1,5 +1,5 @@
 
-policy_module(kerberos, 1.9.3)
+policy_module(kerberos, 1.9.4)
 
 ########################################
 #
@@ -33,10 +33,14 @@ init_script_file(kerberos_initrc_exec_t)
 type kpropd_t;
 type kpropd_exec_t;
 init_daemon_domain(kpropd_t, kpropd_exec_t)
+domain_obj_id_change_exemption(kpropd_t)
 
 type krb5_conf_t;
 files_type(krb5_conf_t)
 
+type krb5_home_t;
+userdom_user_home_content(krb5_home_t)
+
 type krb5_host_rcache_t;
 files_tmp_file(krb5_host_rcache_t)
 
@@ -281,6 +285,8 @@ allow kpropd_t krb5_host_rcache_t:file rw_file_perms;
 
 allow kpropd_t krb5_keytab_t:file read_file_perms;
 
+manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t)
+
 manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_principal_t)
 
 corecmd_exec_bin(kpropd_t)

More information about the scm-commits mailing list