[selinux-policy: 2616/3172] kerberos patch from Dan Walsh
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:52:35 UTC 2010
commit 01bfe1d20e4873b5e55815c066b41ee0b92377bd
Author: Jeremy Solt <jsolt at tresys.com>
Date: Thu Apr 8 16:02:18 2010 -0400
kerberos patch from Dan Walsh
policy/modules/services/kerberos.if | 6 +++++-
policy/modules/services/kerberos.te | 3 ++-
2 files changed, 7 insertions(+), 2 deletions(-)
---
diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
index 0c7f12f..f9691bd 100644
--- a/policy/modules/services/kerberos.if
+++ b/policy/modules/services/kerberos.if
@@ -74,7 +74,7 @@ interface(`kerberos_use',`
')
files_search_etc($1)
- allow $1 krb5_conf_t:file read_file_perms;
+ read_files_pattern($1, krb5_conf_t, krb5_conf_t)
dontaudit $1 krb5_conf_t:file write;
dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
dontaudit $1 krb5kdc_conf_t:file rw_file_perms;
@@ -84,6 +84,10 @@ interface(`kerberos_use',`
selinux_dontaudit_validate_context($1)
seutil_dontaudit_read_file_contexts($1)
+ optional_policy(`
+ sssd_read_public_files($1)
+ ')
+
tunable_policy(`allow_kerberos',`
allow $1 self:tcp_socket create_socket_perms;
allow $1 self:udp_socket create_socket_perms;
diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te
index c7a148c..55b52f6 100644
--- a/policy/modules/services/kerberos.te
+++ b/policy/modules/services/kerberos.te
@@ -112,6 +112,7 @@ files_pid_filetrans(kadmind_t, kadmind_var_run_t, file)
kernel_read_kernel_sysctls(kadmind_t)
kernel_list_proc(kadmind_t)
+kernel_read_network_state(kadmind_t)
kernel_read_proc_symlinks(kadmind_t)
kernel_read_system_state(kadmind_t)
@@ -283,7 +284,7 @@ allow kpropd_t self:fifo_file rw_file_perms;
allow kpropd_t self:unix_stream_socket create_stream_socket_perms;
allow kpropd_t self:tcp_socket create_stream_socket_perms;
-allow kpropd_t krb5_host_rcache_t:file rw_file_perms;
+allow kpropd_t krb5_host_rcache_t:file manage_file_perms;
allow kpropd_t krb5_keytab_t:file read_file_perms;
More information about the scm-commits
mailing list