kerberos patch from Dan Walsh

policy/modules/services/kerberos.if

@@ -74,7 +74,7 @@ interface(`kerberos_use',`
 	')
 
 	files_search_etc($1)
-	allow $1 krb5_conf_t:file read_file_perms;
+	read_files_pattern($1, krb5_conf_t, krb5_conf_t)
 	dontaudit $1 krb5_conf_t:file write;
 	dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
 	dontaudit $1 krb5kdc_conf_t:file rw_file_perms;
@@ -84,6 +84,10 @@ interface(`kerberos_use',`
 	selinux_dontaudit_validate_context($1)
 	seutil_dontaudit_read_file_contexts($1)
 
+	optional_policy(`
+		sssd_read_public_files($1)
+	')
+
 	tunable_policy(`allow_kerberos',`
 		allow $1 self:tcp_socket create_socket_perms;
 		allow $1 self:udp_socket create_socket_perms;

policy/modules/services/kerberos.te

@@ -112,6 +112,7 @@ files_pid_filetrans(kadmind_t, kadmind_var_run_t, file)
 
 kernel_read_kernel_sysctls(kadmind_t)
 kernel_list_proc(kadmind_t)
+kernel_read_network_state(kadmind_t)
 kernel_read_proc_symlinks(kadmind_t)
 kernel_read_system_state(kadmind_t)
 
@@ -283,7 +284,7 @@ allow kpropd_t self:fifo_file rw_file_perms;
 allow kpropd_t self:unix_stream_socket create_stream_socket_perms;
 allow kpropd_t self:tcp_socket create_stream_socket_perms;
 
-allow kpropd_t krb5_host_rcache_t:file rw_file_perms;
+allow kpropd_t krb5_host_rcache_t:file manage_file_perms;
 
 allow kpropd_t krb5_keytab_t:file read_file_perms;