Update kerberos interfaces
This commit is contained in:
parent
96feeb5e20
commit
301836b163
@ -12360,7 +12360,7 @@ index 008f8ef..144c074 100644
|
|||||||
admin_pattern($1, certmonger_var_run_t)
|
admin_pattern($1, certmonger_var_run_t)
|
||||||
')
|
')
|
||||||
diff --git a/certmonger.te b/certmonger.te
|
diff --git a/certmonger.te b/certmonger.te
|
||||||
index 550b287..814aeca 100644
|
index 550b287..10b00ba 100644
|
||||||
--- a/certmonger.te
|
--- a/certmonger.te
|
||||||
+++ b/certmonger.te
|
+++ b/certmonger.te
|
||||||
@@ -18,18 +18,23 @@ files_type(certmonger_var_lib_t)
|
@@ -18,18 +18,23 @@ files_type(certmonger_var_lib_t)
|
||||||
@ -12475,7 +12475,7 @@ index 550b287..814aeca 100644
|
|||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
kerberos_use(certmonger_t)
|
kerberos_use(certmonger_t)
|
||||||
+ kerberos_read_keytab(certmonger_t)
|
+ kerberos_read_keytab(certmonger_t)
|
||||||
+ kerberos_manage_config(certmonger_t)
|
+ kerberos_manage_kdc_config(certmonger_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -42767,7 +42767,7 @@ index 4fe75fd..3504a9b 100644
|
|||||||
+/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
|
+/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
|
||||||
+/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
|
+/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
|
||||||
diff --git a/kerberos.if b/kerberos.if
|
diff --git a/kerberos.if b/kerberos.if
|
||||||
index f6c00d8..192df56 100644
|
index f6c00d8..b7e477d 100644
|
||||||
--- a/kerberos.if
|
--- a/kerberos.if
|
||||||
+++ b/kerberos.if
|
+++ b/kerberos.if
|
||||||
@@ -1,27 +1,29 @@
|
@@ -1,27 +1,29 @@
|
||||||
@ -42984,7 +42984,7 @@ index f6c00d8..192df56 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -210,47 +207,63 @@ interface(`kerberos_manage_krb5_home_files',`
|
@@ -210,220 +207,252 @@ interface(`kerberos_manage_krb5_home_files',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -43033,50 +43033,36 @@ index f6c00d8..192df56 100644
|
|||||||
- userdom_user_home_dir_filetrans($1, krb5_home_t, $2, $3)
|
- userdom_user_home_dir_filetrans($1, krb5_home_t, $2, $3)
|
||||||
+ allow $1 krb5_keytab_t:file manage_file_perms;
|
+ allow $1 krb5_keytab_t:file manage_file_perms;
|
||||||
+ files_etc_filetrans($1, krb5_keytab_t, file, $2)
|
+ files_etc_filetrans($1, krb5_keytab_t, file, $2)
|
||||||
+')
|
|
||||||
+
|
|
||||||
+########################################
|
|
||||||
+## <summary>
|
|
||||||
+## Create a derived type for kerberos keytab
|
|
||||||
+## </summary>
|
|
||||||
+## <param name="prefix">
|
|
||||||
+## <summary>
|
|
||||||
+## The prefix to be used for deriving type names.
|
|
||||||
+## </summary>
|
|
||||||
+## </param>
|
|
||||||
+## <param name="domain">
|
|
||||||
+## <summary>
|
|
||||||
+## Domain allowed access.
|
|
||||||
+## </summary>
|
|
||||||
+## </param>
|
|
||||||
+#
|
|
||||||
+template(`kerberos_keytab_template',`
|
|
||||||
+ refpolicywarn(`$0($*) has been deprecated.')
|
|
||||||
+ kerberos_read_keytab($2)
|
|
||||||
+ kerberos_use($2)
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
-## Read kerberos key table files.
|
-## Read kerberos key table files.
|
||||||
+## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
|
+## Create a derived type for kerberos keytab
|
||||||
## </summary>
|
## </summary>
|
||||||
|
+## <param name="prefix">
|
||||||
|
+## <summary>
|
||||||
|
+## The prefix to be used for deriving type names.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -259,18 +272,18 @@ interface(`kerberos_home_filetrans_krb5_home',`
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
## <rolecap/>
|
-## <rolecap/>
|
||||||
#
|
#
|
||||||
-interface(`kerberos_read_keytab',`
|
-interface(`kerberos_read_keytab',`
|
||||||
+interface(`kerberos_read_kdc_config',`
|
- gen_require(`
|
||||||
gen_require(`
|
|
||||||
- type krb5_keytab_t;
|
- type krb5_keytab_t;
|
||||||
+ type krb5kdc_conf_t;
|
- ')
|
||||||
')
|
-
|
||||||
|
- files_search_etc($1)
|
||||||
files_search_etc($1)
|
|
||||||
- allow $1 krb5_keytab_t:file read_file_perms;
|
- allow $1 krb5_keytab_t:file read_file_perms;
|
||||||
+ read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
|
+template(`kerberos_keytab_template',`
|
||||||
|
+ refpolicywarn(`$0($*) has been deprecated.')
|
||||||
|
+ kerberos_read_keytab($2)
|
||||||
|
+ kerberos_use($2)
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -43086,27 +43072,28 @@ index f6c00d8..192df56 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -278,49 +291,122 @@ interface(`kerberos_read_keytab',`
|
## Domain allowed access.
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
|
+## <rolecap/>
|
||||||
#
|
#
|
||||||
-interface(`kerberos_rw_keytab',`
|
-interface(`kerberos_rw_keytab',`
|
||||||
+interface(`kerberos_read_host_rcache',`
|
+interface(`kerberos_read_kdc_config',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
- type krb5_keytab_t;
|
- type krb5_keytab_t;
|
||||||
+ type krb5_host_rcache_t;
|
+ type krb5kdc_conf_t;
|
||||||
')
|
')
|
||||||
-
|
|
||||||
- files_search_etc($1)
|
files_search_etc($1)
|
||||||
- allow $1 krb5_keytab_t:file rw_file_perms;
|
- allow $1 krb5_keytab_t:file rw_file_perms;
|
||||||
+ read_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
|
+ read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
-## Create, read, write, and delete
|
-## Create, read, write, and delete
|
||||||
-## kerberos key table files.
|
-## kerberos key table files.
|
||||||
+## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
|
+## Manage the kerberos kdc configuration file (/etc/krb5kdc.conf).
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -43116,14 +43103,79 @@ index f6c00d8..192df56 100644
|
|||||||
+## <rolecap/>
|
+## <rolecap/>
|
||||||
#
|
#
|
||||||
-interface(`kerberos_manage_keytab_files',`
|
-interface(`kerberos_manage_keytab_files',`
|
||||||
+interface(`kerberos_manage_host_rcache',`
|
+interface(`kerberos_manage_kdc_config',`
|
||||||
|
gen_require(`
|
||||||
|
- type krb5_keytab_t;
|
||||||
|
+ type krb5kdc_conf_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_etc($1)
|
||||||
|
- allow $1 krb5_keytab_t:file manage_file_perms;
|
||||||
|
+ read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
|
||||||
|
+ list_dirs_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
-## Create specified objects in generic
|
||||||
|
-## etc directories with the kerberos
|
||||||
|
-## keytab file type.
|
||||||
|
+## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
-## <param name="object_class">
|
||||||
|
-## <summary>
|
||||||
|
-## Class of the object being created.
|
||||||
|
-## </summary>
|
||||||
|
-## </param>
|
||||||
|
-## <param name="name" optional="true">
|
||||||
|
-## <summary>
|
||||||
|
-## The name of the object being created.
|
||||||
|
-## </summary>
|
||||||
|
-## </param>
|
||||||
|
#
|
||||||
|
-interface(`kerberos_etc_filetrans_keytab',`
|
||||||
|
+interface(`kerberos_read_host_rcache',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
- type krb5_keytab_t;
|
- type krb5_keytab_t;
|
||||||
+ type krb5_host_rcache_t;
|
+ type krb5_host_rcache_t;
|
||||||
')
|
')
|
||||||
|
-
|
||||||
|
- files_etc_filetrans($1, krb5_keytab_t, $2, $3)
|
||||||
|
+ read_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
|
||||||
|
')
|
||||||
|
|
||||||
- files_search_etc($1)
|
########################################
|
||||||
- allow $1 krb5_keytab_t:file manage_file_perms;
|
## <summary>
|
||||||
|
-## Create a derived type for kerberos
|
||||||
|
-## keytab files.
|
||||||
|
+## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
|
||||||
|
## </summary>
|
||||||
|
-## <param name="prefix">
|
||||||
|
-## <summary>
|
||||||
|
-## The prefix to be used for deriving type names.
|
||||||
|
-## </summary>
|
||||||
|
-## </param>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
+## <rolecap/>
|
||||||
|
#
|
||||||
|
-template(`kerberos_keytab_template',`
|
||||||
|
- refpolicywarn(`$0($*) has been deprecated.')
|
||||||
|
- kerberos_read_keytab($2)
|
||||||
|
- kerberos_use($2)
|
||||||
|
+interface(`kerberos_manage_host_rcache',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type krb5_host_rcache_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
+ # creates files as system_u no matter what the selinux user
|
+ # creates files as system_u no matter what the selinux user
|
||||||
+ # cjp: should be in the below tunable but typeattribute
|
+ # cjp: should be in the below tunable but typeattribute
|
||||||
+ # does not work in conditionals
|
+ # does not work in conditionals
|
||||||
@ -43144,9 +43196,7 @@ index f6c00d8..192df56 100644
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
-## Create specified objects in generic
|
-## Read kerberos kdc configuration files.
|
||||||
-## etc directories with the kerberos
|
|
||||||
-## keytab file type.
|
|
||||||
+## All of the rules required to administrate
|
+## All of the rules required to administrate
|
||||||
+## an kerberos environment
|
+## an kerberos environment
|
||||||
## </summary>
|
## </summary>
|
||||||
@ -43155,24 +43205,26 @@ index f6c00d8..192df56 100644
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
-## <param name="object_class">
|
|
||||||
+## <param name="role">
|
+## <param name="role">
|
||||||
## <summary>
|
+## <summary>
|
||||||
-## Class of the object being created.
|
|
||||||
+## The role to be allowed to manage the kerberos domain.
|
+## The role to be allowed to manage the kerberos domain.
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## </param>
|
+## </param>
|
||||||
+## <rolecap/>
|
## <rolecap/>
|
||||||
+#
|
#
|
||||||
|
-interface(`kerberos_read_kdc_config',`
|
||||||
+interface(`kerberos_admin',`
|
+interface(`kerberos_admin',`
|
||||||
+ gen_require(`
|
gen_require(`
|
||||||
|
- type krb5kdc_conf_t;
|
||||||
+ type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
|
+ type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
|
||||||
+ type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
|
+ type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
|
||||||
+ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
|
+ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
|
||||||
+ type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t;
|
+ type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t;
|
||||||
+ type krb5kdc_var_run_t, krb5_host_rcache_t;
|
+ type krb5kdc_var_run_t, krb5_host_rcache_t;
|
||||||
+ ')
|
')
|
||||||
+
|
|
||||||
|
- files_search_etc($1)
|
||||||
|
- read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
|
||||||
+ allow $1 kadmind_t:process signal_perms;
|
+ allow $1 kadmind_t:process signal_perms;
|
||||||
+ ps_process_pattern($1, kadmind_t)
|
+ ps_process_pattern($1, kadmind_t)
|
||||||
+ tunable_policy(`deny_ptrace',`',`
|
+ tunable_policy(`deny_ptrace',`',`
|
||||||
@ -43212,74 +43264,14 @@ index f6c00d8..192df56 100644
|
|||||||
+ admin_pattern($1, krb5kdc_tmp_t)
|
+ admin_pattern($1, krb5kdc_tmp_t)
|
||||||
+
|
+
|
||||||
+ admin_pattern($1, krb5kdc_var_run_t)
|
+ admin_pattern($1, krb5kdc_var_run_t)
|
||||||
+')
|
')
|
||||||
+
|
|
||||||
+########################################
|
########################################
|
||||||
+## <summary>
|
## <summary>
|
||||||
|
-## Create, read, write, and delete
|
||||||
|
-## kerberos host rcache files.
|
||||||
+## Type transition files created in /tmp
|
+## Type transition files created in /tmp
|
||||||
+## to the krb5_host_rcache type.
|
+## to the krb5_host_rcache type.
|
||||||
+## </summary>
|
|
||||||
+## <param name="domain">
|
|
||||||
+## <summary>
|
|
||||||
+## Domain allowed access.
|
|
||||||
## </summary>
|
|
||||||
## </param>
|
|
||||||
## <param name="name" optional="true">
|
|
||||||
@@ -329,60 +415,63 @@ interface(`kerberos_manage_keytab_files',`
|
|
||||||
## </summary>
|
|
||||||
## </param>
|
|
||||||
#
|
|
||||||
-interface(`kerberos_etc_filetrans_keytab',`
|
|
||||||
+interface(`kerberos_tmp_filetrans_host_rcache',`
|
|
||||||
gen_require(`
|
|
||||||
- type krb5_keytab_t;
|
|
||||||
+ type krb5_host_rcache_t;
|
|
||||||
')
|
|
||||||
|
|
||||||
- files_etc_filetrans($1, krb5_keytab_t, $2, $3)
|
|
||||||
+ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
|
|
||||||
+ files_tmp_filetrans($1, krb5_host_rcache_t, file, $2)
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
|
||||||
## <summary>
|
|
||||||
-## Create a derived type for kerberos
|
|
||||||
-## keytab files.
|
|
||||||
+## Type transition files created in /tmp
|
|
||||||
+## to the kadmind_tmp type.
|
|
||||||
## </summary>
|
|
||||||
-## <param name="prefix">
|
|
||||||
+## <param name="domain">
|
|
||||||
## <summary>
|
|
||||||
-## The prefix to be used for deriving type names.
|
|
||||||
+## Domain allowed access.
|
|
||||||
## </summary>
|
|
||||||
## </param>
|
|
||||||
-## <param name="domain">
|
|
||||||
+## <param name="name" optional="true">
|
|
||||||
## <summary>
|
|
||||||
-## Domain allowed access.
|
|
||||||
+## The name of the object being created.
|
|
||||||
## </summary>
|
|
||||||
## </param>
|
|
||||||
#
|
|
||||||
-template(`kerberos_keytab_template',`
|
|
||||||
- refpolicywarn(`$0($*) has been deprecated.')
|
|
||||||
- kerberos_read_keytab($2)
|
|
||||||
- kerberos_use($2)
|
|
||||||
+interface(`kerberos_tmp_filetrans_kadmin',`
|
|
||||||
+ gen_require(`
|
|
||||||
+ type kadmind_tmp_t;
|
|
||||||
+ ')
|
|
||||||
+
|
|
||||||
+ manage_files_pattern($1, kadmind_tmp_t, kadmind_tmp_t)
|
|
||||||
+ files_tmp_filetrans($1, kadmind_tmp_t, file, $2)
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
|
||||||
## <summary>
|
|
||||||
-## Read kerberos kdc configuration files.
|
|
||||||
+## read kerberos homedir content (.k5login)
|
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -43287,38 +43279,16 @@ index f6c00d8..192df56 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
-## <rolecap/>
|
-## <rolecap/>
|
||||||
#
|
+## <param name="name" optional="true">
|
||||||
-interface(`kerberos_read_kdc_config',`
|
+## <summary>
|
||||||
+interface(`kerberos_read_home_content',`
|
+## The name of the object being created.
|
||||||
gen_require(`
|
+## </summary>
|
||||||
- type krb5kdc_conf_t;
|
+## </param>
|
||||||
+ type krb5_home_t;
|
|
||||||
')
|
|
||||||
|
|
||||||
- files_search_etc($1)
|
|
||||||
- read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
|
|
||||||
+ userdom_search_user_home_dirs($1)
|
|
||||||
+ read_files_pattern($1, krb5_home_t, krb5_home_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
|
||||||
## <summary>
|
|
||||||
-## Create, read, write, and delete
|
|
||||||
-## kerberos host rcache files.
|
|
||||||
+## Manage the kerberos kdc /var/lib files
|
|
||||||
+## and directories.
|
|
||||||
## </summary>
|
|
||||||
## <param name="domain">
|
|
||||||
## <summary>
|
|
||||||
@@ -391,141 +480,88 @@ interface(`kerberos_read_kdc_config',`
|
|
||||||
## </param>
|
|
||||||
## <rolecap/>
|
|
||||||
#
|
#
|
||||||
-interface(`kerberos_manage_host_rcache',`
|
-interface(`kerberos_manage_host_rcache',`
|
||||||
+interface(`kerberos_manage_kdc_var_lib',`
|
+interface(`kerberos_tmp_filetrans_host_rcache',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
- type krb5_host_rcache_t;
|
type krb5_host_rcache_t;
|
||||||
+ type krb5kdc_var_lib_t;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
- domain_obj_id_change_exemption($1)
|
- domain_obj_id_change_exemption($1)
|
||||||
@ -43333,9 +43303,8 @@ index f6c00d8..192df56 100644
|
|||||||
- files_search_tmp($1)
|
- files_search_tmp($1)
|
||||||
- allow $1 krb5_host_rcache_t:file manage_file_perms;
|
- allow $1 krb5_host_rcache_t:file manage_file_perms;
|
||||||
- ')
|
- ')
|
||||||
+ files_search_etc($1)
|
+ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
|
||||||
+ manage_files_pattern($1, krb5kdc_var_lib_t, krb5kdc_var_lib_t)
|
+ files_tmp_filetrans($1, krb5_host_rcache_t, file, $2)
|
||||||
+ manage_dirs_pattern($1, krb5kdc_var_lib_t, krb5kdc_var_lib_t)
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -43343,8 +43312,8 @@ index f6c00d8..192df56 100644
|
|||||||
-## Create objects in generic temporary
|
-## Create objects in generic temporary
|
||||||
-## directories with the kerberos host
|
-## directories with the kerberos host
|
||||||
-## rcache type.
|
-## rcache type.
|
||||||
+## create kerberos content in the in the /root directory
|
+## Type transition files created in /tmp
|
||||||
+## with an correct label.
|
+## to the kadmind_tmp type.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -43354,36 +43323,34 @@ index f6c00d8..192df56 100644
|
|||||||
-## <param name="object_class">
|
-## <param name="object_class">
|
||||||
-## <summary>
|
-## <summary>
|
||||||
-## Class of the object being created.
|
-## Class of the object being created.
|
||||||
-## </summary>
|
|
||||||
-## </param>
|
|
||||||
-## <param name="name" optional="true">
|
|
||||||
-## <summary>
|
|
||||||
-## The name of the object being created.
|
|
||||||
+## Domain allowed access.
|
+## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <param name="name" optional="true">
|
||||||
|
@@ -432,17 +461,18 @@ interface(`kerberos_manage_host_rcache',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
-interface(`kerberos_tmp_filetrans_host_rcache',`
|
-interface(`kerberos_tmp_filetrans_host_rcache',`
|
||||||
+interface(`kerberos_filetrans_admin_home_content',`
|
+interface(`kerberos_tmp_filetrans_kadmin',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
- type krb5_host_rcache_t;
|
- type krb5_host_rcache_t;
|
||||||
+ type krb5_home_t;
|
+ type kadmind_tmp_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
- files_tmp_filetrans($1, krb5_host_rcache_t, $2, $3)
|
- files_tmp_filetrans($1, krb5_host_rcache_t, $2, $3)
|
||||||
+ userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
|
+ manage_files_pattern($1, kadmind_tmp_t, kadmind_tmp_t)
|
||||||
+ userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5users")
|
+ files_tmp_filetrans($1, kadmind_tmp_t, file, $2)
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
-## Connect to krb524 service.
|
-## Connect to krb524 service.
|
||||||
+## Transition to kerberos named content
|
+## read kerberos homedir content (.k5login)
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
-## Domain allowed access.
|
@@ -450,82 +480,109 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
|
||||||
+## Domain allowed access.
|
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -43398,25 +43365,25 @@ index f6c00d8..192df56 100644
|
|||||||
-
|
-
|
||||||
- corenet_sendrecv_kerberos_master_client_packets($1)
|
- corenet_sendrecv_kerberos_master_client_packets($1)
|
||||||
- corenet_udp_sendrecv_kerberos_master_port($1)
|
- corenet_udp_sendrecv_kerberos_master_port($1)
|
||||||
+interface(`kerberos_filetrans_home_content',`
|
+interface(`kerberos_read_home_content',`
|
||||||
+ gen_require(`
|
+ gen_require(`
|
||||||
+ type krb5_home_t;
|
+ type krb5_home_t;
|
||||||
')
|
')
|
||||||
+
|
+
|
||||||
+ userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
|
+ userdom_search_user_home_dirs($1)
|
||||||
+ userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5users")
|
+ read_files_pattern($1, krb5_home_t, krb5_home_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
-## All of the rules required to
|
-## All of the rules required to
|
||||||
-## administrate an kerberos environment.
|
-## administrate an kerberos environment.
|
||||||
+## Transition to kerberos named content
|
+## Manage the kerberos kdc /var/lib files
|
||||||
|
+## and directories.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
-## Domain allowed access.
|
## Domain allowed access.
|
||||||
+## Domain allowed access.
|
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
-## <param name="role">
|
-## <param name="role">
|
||||||
@ -43424,17 +43391,17 @@ index f6c00d8..192df56 100644
|
|||||||
-## Role allowed access.
|
-## Role allowed access.
|
||||||
-## </summary>
|
-## </summary>
|
||||||
-## </param>
|
-## </param>
|
||||||
-## <rolecap/>
|
## <rolecap/>
|
||||||
#
|
#
|
||||||
-interface(`kerberos_admin',`
|
-interface(`kerberos_admin',`
|
||||||
+interface(`kerberos_filetrans_named_content',`
|
+interface(`kerberos_manage_kdc_var_lib',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
- type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
|
- type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
|
||||||
- type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
|
- type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
|
||||||
type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
|
- type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
|
||||||
- type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t;
|
- type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t;
|
||||||
- type krb5kdc_var_run_t, krb5_host_rcache_t;
|
- type krb5kdc_var_run_t, krb5_host_rcache_t;
|
||||||
+ type krb5kdc_principal_t;
|
+ type krb5kdc_var_lib_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
- allow $1 { kadmind_t krb5kdc_t kpropd }:process { ptrace signal_perms };
|
- allow $1 { kadmind_t krb5kdc_t kpropd }:process { ptrace signal_perms };
|
||||||
@ -43444,13 +43411,35 @@ index f6c00d8..192df56 100644
|
|||||||
- domain_system_change_exemption($1)
|
- domain_system_change_exemption($1)
|
||||||
- role_transition $2 kerberos_initrc_exec_t system_r;
|
- role_transition $2 kerberos_initrc_exec_t system_r;
|
||||||
- allow $2 system_r;
|
- allow $2 system_r;
|
||||||
-
|
+ files_search_etc($1)
|
||||||
|
+ manage_files_pattern($1, krb5kdc_var_lib_t, krb5kdc_var_lib_t)
|
||||||
|
+ manage_dirs_pattern($1, krb5kdc_var_lib_t, krb5kdc_var_lib_t)
|
||||||
|
+')
|
||||||
|
|
||||||
- logging_list_logs($1)
|
- logging_list_logs($1)
|
||||||
- admin_pattern($1, kadmind_log_t)
|
- admin_pattern($1, kadmind_log_t)
|
||||||
-
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## create kerberos content in the in the /root directory
|
||||||
|
+## with an correct label.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`kerberos_filetrans_admin_home_content',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type krb5_home_t;
|
||||||
|
+ ')
|
||||||
|
|
||||||
- files_list_tmp($1)
|
- files_list_tmp($1)
|
||||||
- admin_pattern($1, { kadmind_tmp_t krb5_host_rcache_t krb5kdc_tmp_t })
|
- admin_pattern($1, { kadmind_tmp_t krb5_host_rcache_t krb5kdc_tmp_t })
|
||||||
-
|
+ userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
|
||||||
|
+ userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5users")
|
||||||
|
+')
|
||||||
|
|
||||||
- kerberos_tmp_filetrans_host_rcache($1, file, "host_0")
|
- kerberos_tmp_filetrans_host_rcache($1, file, "host_0")
|
||||||
- kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_23")
|
- kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_23")
|
||||||
- kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_48")
|
- kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_48")
|
||||||
@ -43459,13 +43448,45 @@ index f6c00d8..192df56 100644
|
|||||||
- kerberos_tmp_filetrans_host_rcache($1, file, "ldapmap1_0")
|
- kerberos_tmp_filetrans_host_rcache($1, file, "ldapmap1_0")
|
||||||
- kerberos_tmp_filetrans_host_rcache($1, file, "ldap_487")
|
- kerberos_tmp_filetrans_host_rcache($1, file, "ldap_487")
|
||||||
- kerberos_tmp_filetrans_host_rcache($1, file, "ldap_55")
|
- kerberos_tmp_filetrans_host_rcache($1, file, "ldap_55")
|
||||||
-
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Transition to kerberos named content
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`kerberos_filetrans_home_content',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type krb5_home_t;
|
||||||
|
+ ')
|
||||||
|
|
||||||
- files_list_pids($1)
|
- files_list_pids($1)
|
||||||
- admin_pattern($1, { kadmind_var_run_t krb5kdc_var_run_t })
|
- admin_pattern($1, { kadmind_var_run_t krb5kdc_var_run_t })
|
||||||
-
|
+ userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
|
||||||
|
+ userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5users")
|
||||||
|
+')
|
||||||
|
|
||||||
- files_list_etc($1)
|
- files_list_etc($1)
|
||||||
- admin_pattern($1, krb5_conf_t)
|
- admin_pattern($1, krb5_conf_t)
|
||||||
-
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Transition to kerberos named content
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`kerberos_filetrans_named_content',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
|
||||||
|
+ type krb5kdc_principal_t;
|
||||||
|
+ ')
|
||||||
|
|
||||||
files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf")
|
files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf")
|
||||||
-
|
-
|
||||||
- admin_pattern($1, { krb5_keytab_t krb5kdc_principal_t })
|
- admin_pattern($1, { krb5_keytab_t krb5kdc_principal_t })
|
||||||
|
Loading…
Reference in New Issue
Block a user