selinux-policy/refpolicy/policy/modules/services/kerberos.if

## <summary>MIT Kerberos admin and KDC</summary>
## <desc>
##	<p>
##	This policy supports:
##	</p>
##	<p>
##	Servers:
##	<ul>
##		<li>kadmind</li>
##		<li>krb5kdc</li>
##	</ul>
##	</p>
##	<p>
##	Clients:
##	<ul>
##		<li>kinit</li>
##		<li>kdestroy</li>
##		<li>klist</li>
##		<li>ksu (incomplete)</li>
##	</ul>
##	</p>
## </desc>

########################################
## <summary>
##	Use kerberos services
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`kerberos_use',`
	gen_require(`
		type krb5_conf_t;
	')

	files_search_etc($1)
	allow $1 krb5_conf_t:file { getattr read };
	dontaudit $1 krb5_conf_t:file write;

	tunable_policy(`allow_kerberos',`
		allow $1 self:tcp_socket create_socket_perms;
		allow $1 self:udp_socket create_socket_perms;
		corenet_tcp_sendrecv_all_if($1)
		corenet_udp_sendrecv_all_if($1)
		corenet_raw_sendrecv_all_if($1)
		corenet_tcp_sendrecv_all_nodes($1)
		corenet_udp_sendrecv_all_nodes($1)
		corenet_raw_sendrecv_all_nodes($1)
		corenet_tcp_sendrecv_kerberos_port($1)
		corenet_udp_sendrecv_kerberos_port($1)
		corenet_tcp_bind_all_nodes($1)
		corenet_udp_bind_all_nodes($1)
		corenet_tcp_connect_kerberos_port($1)
		sysnet_read_config($1)
		sysnet_dns_name_resolve($1)
	')
')

########################################
## <summary>
##	Read the kerberos configuration file (/etc/krb5.conf).
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`kerberos_read_config',`
	gen_require(`
		type krb5_conf_t;
	')

	files_search_etc($1)
	allow $1 krb5_conf_t:file r_file_perms;
')

########################################
## <summary>
##	Read and write the kerberos configuration file (/etc/krb5.conf).
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`kerberos_rw_config',`
	gen_require(`
		type krb5_conf_t;
	')

	files_search_etc($1)
	allow $1 krb5_conf_t:file rw_file_perms;
')
initial commit 2005-06-30 21:11:54 +00:00			`## <summary>MIT Kerberos admin and KDC</summary>`
			`## <desc>`
			`## <p>`
			`## This policy supports:`
			`## </p>`
			`## <p>`
			`## Servers:`
			`## <ul>`
			`## <li>kadmind</li>`
			`## <li>krb5kdc</li>`
			`## </ul>`
ul has to be in a p 2005-07-01 13:10:57 +00:00			`## </p>`
initial commit 2005-06-30 21:11:54 +00:00			`## <p>`
			`## Clients:`
			`## <ul>`
			`## <li>kinit</li>`
			`## <li>kdestroy</li>`
			`## <li>klist</li>`
			`## <li>ksu (incomplete)</li>`
			`## </ul>`
ul has to be in a p 2005-07-01 13:10:57 +00:00			`## </p>`
initial commit 2005-06-30 21:11:54 +00:00			`## </desc>`

			`########################################`
			`## <summary>`
			`## Use kerberos services`
			`## </summary>`
			`## <param name="domain">`
			`## Domain allowed access.`
			`## </param>`
			`#`
			interface(`kerberos_use',`
			gen_require(`
			`type krb5_conf_t;`
			`')`

add comsat. clean up kerberos and nscd interfaces 2005-08-31 15:25:12 +00:00			`files_search_etc($1)`
			`allow $1 krb5_conf_t:file { getattr read };`
			`dontaudit $1 krb5_conf_t:file write;`

initial commit 2005-06-30 21:11:54 +00:00			tunable_policy(`allow_kerberos',`
add comsat. clean up kerberos and nscd interfaces 2005-08-31 15:25:12 +00:00			`allow $1 self:tcp_socket create_socket_perms;`
			`allow $1 self:udp_socket create_socket_perms;`
initial commit 2005-06-30 21:11:54 +00:00			`corenet_tcp_sendrecv_all_if($1)`
			`corenet_udp_sendrecv_all_if($1)`
			`corenet_raw_sendrecv_all_if($1)`
			`corenet_tcp_sendrecv_all_nodes($1)`
			`corenet_udp_sendrecv_all_nodes($1)`
			`corenet_raw_sendrecv_all_nodes($1)`
			`corenet_tcp_sendrecv_kerberos_port($1)`
			`corenet_udp_sendrecv_kerberos_port($1)`
			`corenet_tcp_bind_all_nodes($1)`
			`corenet_udp_bind_all_nodes($1)`
more upstream merging 2005-09-16 19:36:10 +00:00			`corenet_tcp_connect_kerberos_port($1)`
initial commit 2005-06-30 21:11:54 +00:00			`sysnet_read_config($1)`
more updates 2005-09-15 21:03:29 +00:00			`sysnet_dns_name_resolve($1)`
initial commit 2005-06-30 21:11:54 +00:00			`')`
			`')`

			`########################################`
			`## <summary>`
			`## Read the kerberos configuration file (/etc/krb5.conf).`
			`## </summary>`
			`## <param name="domain">`
			`## Domain allowed access.`
			`## </param>`
			`#`
add firstboot 2005-08-17 14:14:07 +00:00			interface(`kerberos_read_config',`
initial commit 2005-06-30 21:11:54 +00:00			gen_require(`
			`type krb5_conf_t;`
			`')`

			`files_search_etc($1)`
			`allow $1 krb5_conf_t:file r_file_perms;`
			`')`
add firstboot 2005-08-17 14:14:07 +00:00
			`########################################`
			`## <summary>`
			`## Read and write the kerberos configuration file (/etc/krb5.conf).`
			`## </summary>`
			`## <param name="domain">`
			`## Domain allowed access.`
			`## </param>`
			`#`
			interface(`kerberos_rw_config',`
			gen_require(`
			`type krb5_conf_t;`
			`')`

			`files_search_etc($1)`
			`allow $1 krb5_conf_t:file rw_file_perms;`
			`')`