[selinux-policy: 446/3172] convert can_kerberos()

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 19:43:16 UTC 2010 

commit a7a9799d79e616545dfa7fc0f5e85029dc494a68
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Fri Jul 1 13:31:34 2005 +0000

    convert can_kerberos()

 refpolicy/policy/modules/services/inetd.te    |    6 ++++--
 refpolicy/policy/modules/services/kerberos.if |    6 +++---
 refpolicy/policy/modules/services/ssh.if      |    6 ++++--
 refpolicy/policy/modules/system/authlogin.if  |   12 +++++++++---
 refpolicy/policy/modules/system/authlogin.te  |    5 ++++-
 refpolicy/policy/modules/system/init.te       |    9 ++++-----
 refpolicy/policy/modules/system/userdomain.if |    6 ++++--
 7 files changed, 32 insertions(+), 18 deletions(-)
---
diff --git a/refpolicy/policy/modules/services/inetd.te b/refpolicy/policy/modules/services/inetd.te
index 97e792d..12d6625 100644
--- a/refpolicy/policy/modules/services/inetd.te
+++ b/refpolicy/policy/modules/services/inetd.te
@@ -169,13 +169,11 @@ allow inetd_child_t self:fifo_file rw_file_perms;
 allow inetd_child_t self:tcp_socket { listen accept connected_socket_perms };
 
 # for identd
-# cjp: this should probably only be inetd_child rules?
 allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
 allow inetd_child_t self:capability { setuid setgid };
 allow inetd_child_t self:dir search;
 allow inetd_child_t self:{ lnk_file file } { getattr read };
 #allow inetd_child_t home_root_t:dir search;
-#can_kerberos(inetd_child_t)
 
 allow inetd_child_t inetd_child_tmp_t:dir create_dir_perms;
 allow inetd_child_t inetd_child_tmp_t:file create_file_perms;
@@ -214,6 +212,10 @@ tunable_policy(`run_ssh_inetd',`
 	corenet_tcp_bind_ssh_port(inetd_t)
 ')
 
+optional_policy(`kerberos.te',`
+	kerberos_use(inetd_child_t)
+')
+
 optional_policy(`nis.te',`
 	nis_use_ypbind(inetd_child_t)
 ')
diff --git a/refpolicy/policy/modules/services/kerberos.if b/refpolicy/policy/modules/services/kerberos.if
index 23839ca..a2a76fe 100644
--- a/refpolicy/policy/modules/services/kerberos.if
+++ b/refpolicy/policy/modules/services/kerberos.if
@@ -49,10 +49,10 @@ interface(`kerberos_use',`
 		corenet_tcp_bind_all_nodes($1)
 		corenet_udp_bind_all_nodes($1)
 		sysnet_read_config($1)
+	')
 
-		tunable_policy(`use_dns',`
-			corenet_udp_sendrecv_dns_port($1)
-		')
+	tunable_policy(`allow_kerberos && use_dns',`
+		corenet_udp_sendrecv_dns_port($1)
 	')
 
 	files_search_etc($1)
diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if
index 2635c89..09bd7fb 100644
--- a/refpolicy/policy/modules/services/ssh.if
+++ b/refpolicy/policy/modules/services/ssh.if
@@ -148,6 +148,10 @@ template(`ssh_per_userdomain_template',`
 		corenet_tcp_bind_ssh_port($1_ssh_t)
 	')
 
+	optional_policy(`kerberos.te',`
+		kerberos_use($1_ssh_t)
+	')
+
 	optional_policy(`nis.te',`
 		nis_use_ypbind($1_ssh_t)
 	')
@@ -170,8 +174,6 @@ template(`ssh_per_userdomain_template',`
 	allow $1_ssh_t var_run_t:dir r_dir_perms;
 	allow $1_ssh_t var_run_t:{ file lnk_file } r_file_perms;
 
-	can_kerberos($1_ssh_t)
-
 	allow $1_ssh_t $1_tmp_t:dir r_dir_perms;
 
 	# Access the users .ssh directory.
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index 91436bd..85c18f7 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -67,7 +67,6 @@ template(`authlogin_per_userdomain_template',`
 
 	seutil_read_config($1_chkpwd_t)
 
-	#can_kerberos($1_chkpwd_t)
 	#can_ldap($1_chkpwd_t)
 
 	# Transition from the user domain to this domain.
@@ -96,6 +95,10 @@ template(`authlogin_per_userdomain_template',`
 		sysnet_read_config($1_chkpwd_t)
 	')
 
+	optional_policy(`kerberos.te',`
+		kerberos_use($1_chkpwd_t)
+	')
+
 	optional_policy(`nis.te',`
 		nis_use_ypbind($1_chkpwd_t)
 	')
@@ -104,7 +107,7 @@ template(`authlogin_per_userdomain_template',`
 		seutil_use_newrole_fd($1_chkpwd_t)
 	')
 
-') dnl end authlogin_per_userdomain_template
+')
 
 ########################################
 ## <desc>
@@ -188,7 +191,10 @@ interface(`auth_domtrans_chk_passwd',`
 		sysnet_read_config($1)
 	')
 
-	#can_kerberos($1)
+	optional_policy(`kerberos.te',`
+		kerberos_use($1)
+	')
+
 	#can_ldap($1)
 
 	optional_policy(`nis.te',`
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index eb4461f..f775741 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -270,12 +270,15 @@ tunable_policy(`use_dns',`
 	sysnet_read_config(system_chkpwd_t)
 ')
 
+optional_policy(`kerberos.te',`
+	kerberos_use(system_chkpwd_t)
+')
+
 optional_policy(`nis.te',`
 	nis_use_ypbind(system_chkpwd_t)
 ')
 
 ifdef(`TODO',`
-can_kerberos(system_chkpwd_t)
 can_ldap(system_chkpwd_t)
 ') dnl end TODO
 
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index ab32337..70f88b3 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -343,6 +343,10 @@ optional_policy(`hotplug.te',`
 	modutils_read_mods_deps(initrc_t)
 ')
 
+optional_policy(`kerberos.te',`
+	kerberos_use(initrc_t)
+')
+
 optional_policy(`lvm.te',`
 	#allow initrc_t lvm_control_t:chr_file unlink;
 
@@ -399,11 +403,6 @@ allow initrc_t { file_t default_t }:dir { read search getattr mounton };
 # Set device ownerships/modes.
 allow initrc_t xconsole_device_t:fifo_file setattr;
 
-# for lsof in shutdown scripts
-can_kerberos(initrc_t)
-dontaudit initrc_t krb5_conf_t:file write;
-allow initrc_t krb5_conf_t:file r_file_perms;
-
 #
 #  These rules are here to allow init scripts to su
 #
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 655b608..ae52c22 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -512,6 +512,10 @@ template(`unpriv_user_template', `
 		corenet_tcp_bind_generic_port($1_t)
 	')
 
+	optional_policy(`kerberos.te',`
+		kerberos_use($1_t)
+	')
+
 	# for running depmod as part of the kernel packaging process
 	optional_policy(`modutils.te',`
 		modutils_read_module_conf($1_t)
@@ -532,8 +536,6 @@ template(`unpriv_user_template', `
 	dontaudit $1_t boot_t:lnk_file read;
 	dontaudit $1_t boot_t:file read;
 
-	can_kerberos($1_t)
-
 	# do not audit read on disk devices
 	dontaudit $1_t { removable_device_t fixed_disk_device_t }:blk_file read;

More information about the scm-commits mailing list