[selinux-policy: 1710/3172] from dan:
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:32:47 UTC 2010
commit ebc1e8be9774df596838c25d78924806dfe6e3d4
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue Apr 10 17:20:07 2007 +0000
from dan:
kadmind trys to setattr on krb5kdc file. Just a library checking access.
policy/modules/services/apache.te | 3 ++-
policy/modules/services/kerberos.if | 21 +++++++++++++++++++++
policy/modules/services/kerberos.te | 4 ++--
3 files changed, 25 insertions(+), 3 deletions(-)
---
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index 2b68560..b41116d 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -1,5 +1,5 @@
-policy_module(apache,1.5.6)
+policy_module(apache,1.5.7)
#
# NOTES:
@@ -468,6 +468,7 @@ optional_policy(`
optional_policy(`
kerberos_use(httpd_t)
+ kerberos_read_kdc_config(httpd_t)
')
optional_policy(`
diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
index bc17c52..8c3fe02 100644
--- a/policy/modules/services/kerberos.if
+++ b/policy/modules/services/kerberos.if
@@ -150,3 +150,24 @@ interface(`kerberos_read_keytab',`
files_search_etc($1)
allow $1 krb5_keytab_t:file read_file_perms;
')
+
+########################################
+## <summary>
+## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kerberos_read_kdc_config',`
+ gen_require(`
+ type krb5kdc_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 krb5kdc_conf_t:file read_file_perms;
+
+')
diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te
index 142974b..74da53a 100644
--- a/policy/modules/services/kerberos.te
+++ b/policy/modules/services/kerberos.te
@@ -1,5 +1,5 @@
-policy_module(kerberos,1.3.4)
+policy_module(kerberos,1.3.5)
########################################
#
@@ -75,7 +75,7 @@ allow kadmind_t krb5_conf_t:file read_file_perms;
dontaudit kadmind_t krb5_conf_t:file write;
read_files_pattern(kadmind_t,krb5kdc_conf_t,krb5kdc_conf_t)
-dontaudit kadmind_t krb5kdc_conf_t:file write;
+dontaudit kadmind_t krb5kdc_conf_t:file { write setattr };
allow kadmind_t krb5kdc_principal_t:file { getattr lock read write setattr };
More information about the scm-commits
mailing list