[selinux-policy: 444/3172] initial commit
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:43:06 UTC 2010
commit 5e1ed4903e17ddd1e5ffb44178a7a45083e37cfe
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Thu Jun 30 21:11:54 2005 +0000
initial commit
refpolicy/policy/modules/services/kerberos.fc | 15 ++
refpolicy/policy/modules/services/kerberos.if | 79 ++++++++
refpolicy/policy/modules/services/kerberos.te | 259 +++++++++++++++++++++++++
3 files changed, 353 insertions(+), 0 deletions(-)
---
diff --git a/refpolicy/policy/modules/services/kerberos.fc b/refpolicy/policy/modules/services/kerberos.fc
new file mode 100644
index 0000000..6d365e9
--- /dev/null
+++ b/refpolicy/policy/modules/services/kerberos.fc
@@ -0,0 +1,15 @@
+/etc/krb5\.conf -- system_u:object_r:krb5_conf_t
+/etc/krb5\.keytab system_u:object_r:krb5_keytab_t
+
+/usr(/local)?(/kerberos)?/sbin/krb5kdc -- system_u:object_r:krb5kdc_exec_t
+/usr(/local)?(/kerberos)?/sbin/kadmind -- system_u:object_r:kadmind_exec_t
+/usr(/local)?/bin/ksu -- system_u:object_r:su_exec_t
+
+/usr/local/var/krb5kdc(/.*)? system_u:object_r:krb5kdc_conf_t
+/usr/local/var/krb5kdc/principal.* system_u:object_r:krb5kdc_principal_t
+
+/var/kerberos/krb5kdc(/.*)? system_u:object_r:krb5kdc_conf_t
+/var/kerberos/krb5kdc/principal.* system_u:object_r:krb5kdc_principal_t
+
+/var/log/krb5kdc\.log system_u:object_r:krb5kdc_log_t
+/var/log/kadmind\.log system_u:object_r:kadmind_log_t
diff --git a/refpolicy/policy/modules/services/kerberos.if b/refpolicy/policy/modules/services/kerberos.if
new file mode 100644
index 0000000..9cb3699
--- /dev/null
+++ b/refpolicy/policy/modules/services/kerberos.if
@@ -0,0 +1,79 @@
+## <summary>MIT Kerberos admin and KDC</summary>
+## <desc>
+## <p>
+## This policy supports:
+## </p>
+## <p>
+## Servers:
+## </p>
+## <ul>
+## <li>kadmind</li>
+## <li>krb5kdc</li>
+## </ul>
+## <p>
+## Clients:
+## </p>
+## <ul>
+## <li>kinit</li>
+## <li>kdestroy</li>
+## <li>klist</li>
+## <li>ksu (incomplete)</li>
+## </ul>
+## </desc>
+
+########################################
+## <summary>
+## Use kerberos services
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`kerberos_use',`
+ gen_require(`
+ type krb5_conf_t;
+ class files r_file_perms;
+ ')
+
+ tunable_policy(`allow_kerberos',`
+ allow $1 self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
+ allow $1 self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
+ corenet_tcp_sendrecv_all_if($1)
+ corenet_udp_sendrecv_all_if($1)
+ corenet_raw_sendrecv_all_if($1)
+ corenet_tcp_sendrecv_all_nodes($1)
+ corenet_udp_sendrecv_all_nodes($1)
+ corenet_raw_sendrecv_all_nodes($1)
+ corenet_tcp_sendrecv_kerberos_port($1)
+ corenet_udp_sendrecv_kerberos_port($1)
+ corenet_tcp_bind_all_nodes($1)
+ corenet_udp_bind_all_nodes($1)
+ sysnet_read_config($1)
+
+ tunable_policy(`use_dns',`
+ corenet_udp_sendrecv_dns_port($1)
+ ')
+ ')
+
+ files_search_etc($1)
+ allow $1 krb5_conf_t:file { getattr read };
+ dontaudit $1 krb5_conf_t:file write;
+')
+
+########################################
+## <summary>
+## Read the kerberos configuration file (/etc/krb5.conf).
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`kerberos_read_conf',`
+ gen_require(`
+ type krb5_conf_t;
+ class files r_file_perms;
+ ')
+
+ files_search_etc($1)
+ allow $1 krb5_conf_t:file r_file_perms;
+')
diff --git a/refpolicy/policy/modules/services/kerberos.te b/refpolicy/policy/modules/services/kerberos.te
new file mode 100644
index 0000000..6c8f0f2
--- /dev/null
+++ b/refpolicy/policy/modules/services/kerberos.te
@@ -0,0 +1,259 @@
+
+policy_module(kerberos,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type kadmind_t;
+type kadmind_exec_t;
+init_daemon_domain(kadmind_t,kadmind_exec_t)
+
+type kadmind_log_t;
+logging_log_file(kadmind_log_t)
+
+type kadmind_tmp_t;
+files_tmp_file(kadmind_tmp_t)
+
+type kadmind_var_run_t;
+files_pid_file(kadmind_var_run_t)
+
+type krb5_conf_t;
+files_type(krb5_conf_t)
+
+# types for general configuration files in /etc
+type krb5_keytab_t; #, secure_file_type;
+files_type(krb5_keytab_t)
+
+# types for KDC configs and principal file(s)
+type krb5kdc_conf_t;
+files_type(krb5kdc_conf_t)
+
+# types for KDC principal file(s)
+type krb5kdc_principal_t;
+files_type(krb5kdc_principal_t)
+
+type krb5kdc_t;
+type krb5kdc_exec_t;
+init_daemon_domain(krb5kdc_t,krb5kdc_exec_t)
+
+type krb5kdc_log_t;
+logging_log_file(krb5kdc_log_t)
+
+type krb5kdc_tmp_t;
+files_tmp_file(krb5kdc_tmp_t)
+
+type krb5kdc_var_run_t;
+files_pid_file(krb5kdc_var_run_t)
+
+########################################
+#
+# kadmind local policy
+#
+
+# Use capabilities. Surplus capabilities may be allowed.
+allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice };
+dontaudit kadmind_t self:capability sys_tty_config;
+allow kadmind_t self:tcp_socket connected_stream_socket_perms;
+allow kadmind_t self:netlink_route_socket r_netlink_socket_perms;
+allow kadmind_t self:unix_dgram_socket { connect create write };
+
+allow kadmind_t kadmind_log_t:file create_file_perms;
+logging_create_log(kadmind_t,kadmind_log_t)
+
+allow kadmind_t krb5_conf_t:file r_file_perms;
+dontaudit kadmind_t krb5_conf_t:file write;
+
+allow kadmind_t krb5kdc_conf_t:dir search;
+allow kadmind_t krb5kdc_conf_t:file r_file_perms;
+dontaudit kadmind_t krb5kdc_conf_t:file write;
+
+allow kadmind_t krb5kdc_principal_t:file { getattr lock read write setattr };
+
+can_exec(kadmind_t, kadmind_exec_t)
+
+allow kadmind_t kadmind_tmp_t:dir create_dir_perms;
+allow kadmind_t kadmind_tmp_t:file create_file_perms;
+files_create_tmp_files(kadmind_t, kadmind_tmp_t, { file dir })
+
+allow kadmind_t kadmind_var_run_t:file { getattr create read write append setattr unlink };
+files_create_pid(kadmind_t,kadmind_var_run_t)
+
+kernel_read_kernel_sysctl(kadmind_t)
+
+corenet_tcp_sendrecv_all_if(kadmind_t)
+corenet_raw_sendrecv_all_if(kadmind_t)
+corenet_tcp_sendrecv_all_nodes(kadmind_t)
+corenet_raw_sendrecv_all_nodes(kadmind_t)
+corenet_tcp_sendrecv_all_ports(kadmind_t)
+corenet_tcp_bind_all_nodes(kadmind_t)
+corenet_tcp_bind_kerberos_admin_port(kadmind_t)
+corenet_udp_bind_kerberos_admin_port(kadmind_t)
+corenet_tcp_bind_reserved_port(kadmind_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(kadmind_t)
+
+dev_read_sysfs(kadmind_t)
+dev_read_rand(kadmind_t)
+dev_read_urand(kadmind_t)
+
+fs_getattr_all_fs(kadmind_t)
+fs_search_auto_mountpoints(kadmind_t)
+
+term_dontaudit_use_console(kadmind_t)
+
+domain_use_wide_inherit_fd(kadmind_t)
+
+files_read_etc_files(kadmind_t)
+
+init_use_fd(kadmind_t)
+init_use_script_pty(kadmind_t)
+
+libs_use_ld_so(kadmind_t)
+libs_use_shared_libs(kadmind_t)
+
+logging_send_syslog_msg(kadmind_t)
+
+miscfiles_read_localization(kadmind_t)
+
+sysnet_read_config(kadmind_t)
+
+userdom_dontaudit_use_unpriv_user_fd(kadmind_t)
+
+ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_tty(kadmind_t)
+ term_dontaudit_use_generic_pty(kadmind_t)
+ files_dontaudit_read_root_file(kadmind_t)
+')
+
+optional_policy(`nis.te',`
+ nis_use_ypbind(kadmind_t)
+')
+
+optional_policy(`selinux.te',`
+ seutil_sigchld_newrole(kadmind_t)
+')
+
+optional_policy(`udev.te', `
+ udev_read_db(kadmind_t)
+')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+ rhgb_domain(kadmind_t)
+')
+allow kadmind_t proc_t:dir r_dir_perms;
+allow kadmind_t proc_t:lnk_file read;
+dontaudit kadmind_t sysadm_home_dir_t:dir search;
+
+# cjp: not sure, but I think this has no effect
+can_tcp_connect(kerberos_admin_port_t, kadmind_t)
+') dnl end TODO
+
+########################################
+#
+# Krb5kdc local policy
+#
+
+# Use capabilities. Surplus capabilities may be allowed.
+allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
+dontaudit krb5kdc_t self:capability sys_tty_config;
+allow krb5kdc_t self:tcp_socket connected_stream_socket_perms;
+allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
+
+allow krb5kdc_t krb5_conf_t:file r_file_perms;
+dontaudit krb5kdc_t krb5_conf_t:file write;
+
+can_exec(krb5kdc_t, krb5kdc_exec_t)
+
+allow krb5kdc_t krb5kdc_conf_t:dir search;
+allow krb5kdc_t krb5kdc_conf_t:file r_file_perms;
+dontaudit krb5kdc_t krb5kdc_conf_t:file write;
+
+allow krb5kdc_t krb5kdc_log_t:file create_file_perms;
+logging_create_log(krb5kdc_t,krb5kdc_log_t)
+
+allow krb5kdc_t krb5kdc_principal_t:file r_file_perms;
+dontaudit krb5kdc_t krb5kdc_principal_t:file write;
+
+allow krb5kdc_t krb5kdc_tmp_t:dir create_dir_perms;
+allow krb5kdc_t krb5kdc_tmp_t:file create_file_perms;
+files_create_tmp_files(krb5kdc_t, krb5kdc_tmp_t, { file dir })
+
+allow krb5kdc_t krb5kdc_var_run_t:file { getattr create read write append setattr unlink };
+files_create_pid(krb5kdc_t,krb5kdc_var_run_t)
+
+kernel_read_system_state(krb5kdc_t)
+kernel_read_kernel_sysctl(krb5kdc_t)
+
+corenet_tcp_sendrecv_all_if(krb5kdc_t)
+corenet_raw_sendrecv_all_if(krb5kdc_t)
+corenet_tcp_sendrecv_all_nodes(krb5kdc_t)
+corenet_raw_sendrecv_all_nodes(krb5kdc_t)
+corenet_tcp_sendrecv_all_ports(krb5kdc_t)
+corenet_tcp_bind_all_nodes(krb5kdc_t)
+corenet_tcp_bind_kerberos_port(krb5kdc_t)
+corenet_udp_bind_kerberos_port(krb5kdc_t)
+
+dev_read_sysfs(krb5kdc_t)
+dev_read_urand(krb5kdc_t)
+
+fs_getattr_all_fs(krb5kdc_t)
+fs_search_auto_mountpoints(krb5kdc_t)
+
+term_dontaudit_use_console(krb5kdc_t)
+
+domain_use_wide_inherit_fd(krb5kdc_t)
+
+files_read_etc_files(krb5kdc_t)
+
+init_use_fd(krb5kdc_t)
+init_use_script_pty(krb5kdc_t)
+
+libs_use_ld_so(krb5kdc_t)
+libs_use_shared_libs(krb5kdc_t)
+
+logging_send_syslog_msg(krb5kdc_t)
+
+miscfiles_read_localization(krb5kdc_t)
+
+sysnet_read_config(krb5kdc_t)
+
+userdom_dontaudit_use_unpriv_user_fd(krb5kdc_t)
+
+ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_tty(krb5kdc_t)
+ term_dontaudit_use_generic_pty(krb5kdc_t)
+ files_dontaudit_read_root_file(krb5kdc_t)
+')
+
+optional_policy(`nis.te',`
+ nis_use_ypbind(krb5kdc_t)
+')
+
+optional_policy(`selinux.te',`
+ seutil_sigchld_newrole(krb5kdc_t)
+')
+
+optional_policy(`udev.te', `
+ udev_read_db(krb5kdc_t)
+')
+
+ifdef(`TODO',`
+allow krb5kdc_t proc_t:dir r_dir_perms;
+allow krb5kdc_t proc_t:lnk_file read;
+dontaudit krb5kdc_t sysadm_home_dir_t:dir search;
+
+optional_policy(`rhgb.te',`
+ rhgb_domain(krb5kdc_t)
+')
+
+# Allow user programs to talk to KDC
+allow krb5kdc_t userdomain:udp_socket recvfrom;
+allow userdomain krb5kdc_t:udp_socket recvfrom;
+
+# cjp: not sure, but I think these have no effect
+can_udp_send(kerberos_port_t, krb5kdc_t)
+can_udp_send(krb5kdc_t, kerberos_port_t)
+can_tcp_connect(kerberos_port_t, krb5kdc_t)
+') dnl end TODO
More information about the scm-commits
mailing list