From 4aa075262ae683ab61b6c9c82fb16114d6f32348 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Mon, 20 Jul 2009 15:41:08 -0400 Subject: [PATCH] kerberos patch from dan --- policy/modules/services/kerberos.fc | 8 ++++++-- policy/modules/services/kerberos.if | 6 +++++- policy/modules/services/kerberos.te | 8 +++++++- 3 files changed, 18 insertions(+), 4 deletions(-) diff --git a/policy/modules/services/kerberos.fc b/policy/modules/services/kerberos.fc index 804683159..3525d248a 100644 --- a/policy/modules/services/kerberos.fc +++ b/policy/modules/services/kerberos.fc @@ -1,3 +1,6 @@ +HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) +/root/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) + /etc/krb5\.conf -- gen_context(system_u:object_r:krb5_conf_t,s0) /etc/krb5\.keytab gen_context(system_u:object_r:krb5_keytab_t,s0) @@ -6,13 +9,14 @@ /etc/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) /etc/rc\.d/init\.d/kadmind -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) -/etc/rc\.d/init\.d/kpropd -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) +/etc/rc\.d/init\.d/kprop -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) /etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) /etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) /usr/(local/)?(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) /usr/(local/)?(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) /usr/kerberos/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0) +/usr/kerberos/sbin/kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0) /usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) /usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) @@ -21,7 +25,7 @@ /var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0) /var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) /var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) -/var/kerberos/krb5kdc/principal\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0) +/var/kerberos/krb5kdc/principal.*\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0) /var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0) /var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0) diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if index 82b99295f..db5ca26db 100644 --- a/policy/modules/services/kerberos.if +++ b/policy/modules/services/kerberos.if @@ -70,6 +70,7 @@ interface(`kerberos_domtrans_kpropd',` interface(`kerberos_use',` gen_require(` type krb5_conf_t, krb5kdc_conf_t; + type krb5_host_rcache_t; ') files_search_etc($1) @@ -101,6 +102,8 @@ interface(`kerberos_use',` corenet_tcp_connect_ocsp_port($1) corenet_sendrecv_kerberos_client_packets($1) corenet_sendrecv_ocsp_client_packets($1) + + allow $1 krb5_host_rcache_t:file getattr; ') optional_policy(` @@ -123,11 +126,12 @@ interface(`kerberos_use',` # interface(`kerberos_read_config',` gen_require(` - type krb5_conf_t; + type krb5_conf_t, krb5_home_t; ') files_search_etc($1) allow $1 krb5_conf_t:file read_file_perms; + allow $1 krb5_home_t:file read_file_perms; ') ######################################## diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te index da703187d..75bade1c4 100644 --- a/policy/modules/services/kerberos.te +++ b/policy/modules/services/kerberos.te @@ -1,5 +1,5 @@ -policy_module(kerberos, 1.9.3) +policy_module(kerberos, 1.9.4) ######################################## # @@ -33,10 +33,14 @@ init_script_file(kerberos_initrc_exec_t) type kpropd_t; type kpropd_exec_t; init_daemon_domain(kpropd_t, kpropd_exec_t) +domain_obj_id_change_exemption(kpropd_t) type krb5_conf_t; files_type(krb5_conf_t) +type krb5_home_t; +userdom_user_home_content(krb5_home_t) + type krb5_host_rcache_t; files_tmp_file(krb5_host_rcache_t) @@ -281,6 +285,8 @@ allow kpropd_t krb5_host_rcache_t:file rw_file_perms; allow kpropd_t krb5_keytab_t:file read_file_perms; +manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t) + manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_principal_t) corecmd_exec_bin(kpropd_t)