[selinux-policy: 2616/3172] kerberos patch from Dan Walsh

[Daniel J Walsh]

commit 01bfe1d20e4873b5e55815c066b41ee0b92377bd
Author: Jeremy Solt <jsolt at tresys.com>
Date:   Thu Apr 8 16:02:18 2010 -0400

    kerberos patch from Dan Walsh

 policy/modules/services/kerberos.if |    6 +++++-
 policy/modules/services/kerberos.te |    3 ++-
 2 files changed, 7 insertions(+), 2 deletions(-)
---
diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
index 0c7f12f..f9691bd 100644
--- a/policy/modules/services/kerberos.if
+++ b/policy/modules/services/kerberos.if
@@ -74,7 +74,7 @@ interface(`kerberos_use',`
 	')
 
 	files_search_etc($1)
-	allow $1 krb5_conf_t:file read_file_perms;
+	read_files_pattern($1, krb5_conf_t, krb5_conf_t)
 	dontaudit $1 krb5_conf_t:file write;
 	dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
 	dontaudit $1 krb5kdc_conf_t:file rw_file_perms;
@@ -84,6 +84,10 @@ interface(`kerberos_use',`
 	selinux_dontaudit_validate_context($1)
 	seutil_dontaudit_read_file_contexts($1)
 
+	optional_policy(`
+		sssd_read_public_files($1)
+	')
+
 	tunable_policy(`allow_kerberos',`
 		allow $1 self:tcp_socket create_socket_perms;
 		allow $1 self:udp_socket create_socket_perms;
diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te
index c7a148c..55b52f6 100644
--- a/policy/modules/services/kerberos.te
+++ b/policy/modules/services/kerberos.te
@@ -112,6 +112,7 @@ files_pid_filetrans(kadmind_t, kadmind_var_run_t, file)
 
 kernel_read_kernel_sysctls(kadmind_t)
 kernel_list_proc(kadmind_t)
+kernel_read_network_state(kadmind_t)
 kernel_read_proc_symlinks(kadmind_t)
 kernel_read_system_state(kadmind_t)
 
@@ -283,7 +284,7 @@ allow kpropd_t self:fifo_file rw_file_perms;
 allow kpropd_t self:unix_stream_socket create_stream_socket_perms;
 allow kpropd_t self:tcp_socket create_stream_socket_perms;
 
-allow kpropd_t krb5_host_rcache_t:file rw_file_perms;
+allow kpropd_t krb5_host_rcache_t:file manage_file_perms;
 
 allow kpropd_t krb5_keytab_t:file read_file_perms;