From 5b06477c8e4f3a668b840334b01427447397b1a1 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Mon, 26 Feb 2007 17:04:56 +0000
Subject: [PATCH] On Tue, 2007-02-20 at 12:02 -0500, Daniel J Walsh wrote: >
 Eliminate excess avc messages created when using kerberos libraries > >
 krb5kdc wans to setsched > > Also uses a fifo_file to communicate. > > Needs
 to search_network_sysctl

---
 Changelog                           | 1 +
 policy/modules/services/kerberos.if | 2 +-
 policy/modules/services/kerberos.te | 6 ++++--
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/Changelog b/Changelog
index 56a283302..32d2a27b8 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Patch for misc fixes to kerberos from Dan Walsh.
 - Patch to start deprecating usercanread attribute from Ryan Bradetich.
 - Add dccp_socket object class which was added in kernel 2.6.20.
 - Patch for prelink relabefrom it's temp files from Dan Walsh.
diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
index 14d37198e..bc17c5249 100644
--- a/policy/modules/services/kerberos.if
+++ b/policy/modules/services/kerberos.if
@@ -41,7 +41,7 @@ interface(`kerberos_use',`
 	allow $1 krb5_conf_t:file { getattr read };
 	dontaudit $1 krb5_conf_t:file write;
 	dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
-	dontaudit $1 krb5kdc_conf_t:file read_file_perms;
+	dontaudit $1 krb5kdc_conf_t:file rw_file_perms;
 
 	tunable_policy(`allow_kerberos',`
 		allow $1 self:tcp_socket create_socket_perms;
diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te
index e5d8f469e..e9c0acf3f 100644
--- a/policy/modules/services/kerberos.te
+++ b/policy/modules/services/kerberos.te
@@ -1,5 +1,5 @@
 
-policy_module(kerberos,1.3.1)
+policy_module(kerberos,1.3.2)
 
 ########################################
 #
@@ -154,10 +154,11 @@ optional_policy(`
 # Use capabilities. Surplus capabilities may be allowed.
 allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
 dontaudit krb5kdc_t self:capability sys_tty_config;
-allow krb5kdc_t self:process { getsched signal_perms };
+allow krb5kdc_t self:process { setsched getsched signal_perms };
 allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
 allow krb5kdc_t self:tcp_socket create_stream_socket_perms;
 allow krb5kdc_t self:udp_socket create_socket_perms;
+allow krb5kdc_t self:fifo_file rw_fifo_file_perms;
 
 allow krb5kdc_t krb5_conf_t:file read_file_perms;
 dontaudit krb5kdc_t krb5_conf_t:file write;
@@ -185,6 +186,7 @@ kernel_read_kernel_sysctls(krb5kdc_t)
 kernel_list_proc(krb5kdc_t)
 kernel_read_proc_symlinks(krb5kdc_t)
 kernel_read_network_state(krb5kdc_t)
+kernel_search_network_sysctl(krb5kdc_t)
 
 corecmd_exec_sbin(krb5kdc_t)
 corecmd_exec_bin(krb5kdc_t)