On Tue, 2007-02-20 at 12:02 -0500, Daniel J Walsh wrote:

> Eliminate excess avc messages created when using kerberos libraries > > krb5kdc wans to setsched > > Also uses a fifo_file to communicate. > > Needs to search_network_sysctl
2007-02-26 17:04:56 +00:00 · 2007-02-26 17:04:56 +00:00 · 5b06477c8e
parent bbb7cc8927
commit 5b06477c8e
3 changed files with 6 additions and 3 deletions
--- a/1
+++ b/1
@ -1,3 +1,4 @@
 - Patch for misc fixes to kerberos from Dan Walsh.
 - Patch to start deprecating usercanread attribute from Ryan Bradetich.
 - Add dccp_socket object class which was added in kernel 2.6.20.
 - Patch for prelink relabefrom it's temp files from Dan Walsh.
--- a/policy/modules/services/kerberos.if
+++ b/policy/modules/services/kerberos.if
@ -41,7 +41,7 @@ interface(`kerberos_use',`
 	allow $1 krb5_conf_t:file { getattr read };
 	dontaudit $1 krb5_conf_t:file write;
 	dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
-	dontaudit $1 krb5kdc_conf_t:file read_file_perms;
+	dontaudit $1 krb5kdc_conf_t:file rw_file_perms;
 	tunable_policy(`allow_kerberos',`
 		allow $1 self:tcp_socket create_socket_perms;
--- a/policy/modules/services/kerberos.te
+++ b/policy/modules/services/kerberos.te
@ -1,5 +1,5 @@
-policy_module(kerberos,1.3.1)
+policy_module(kerberos,1.3.2)
 ########################################
 #
@ -154,10 +154,11 @@ optional_policy(`
 # Use capabilities. Surplus capabilities may be allowed.
 allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
 dontaudit krb5kdc_t self:capability sys_tty_config;
-allow krb5kdc_t self:process { getsched signal_perms };
+allow krb5kdc_t self:process { setsched getsched signal_perms };
 allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
 allow krb5kdc_t self:tcp_socket create_stream_socket_perms;
 allow krb5kdc_t self:udp_socket create_socket_perms;
 allow krb5kdc_t self:fifo_file rw_fifo_file_perms;
 allow krb5kdc_t krb5_conf_t:file read_file_perms;
 dontaudit krb5kdc_t krb5_conf_t:file write;
@ -185,6 +186,7 @@ kernel_read_kernel_sysctls(krb5kdc_t)
 kernel_list_proc(krb5kdc_t)
 kernel_read_proc_symlinks(krb5kdc_t)
 kernel_read_network_state(krb5kdc_t)
 kernel_search_network_sysctl(krb5kdc_t)
 corecmd_exec_sbin(krb5kdc_t)
 corecmd_exec_bin(krb5kdc_t)