convert can_kerberos()
This commit is contained in:
Chris PeBenito
parent
65c8613766
commit
a7a9799d79
@ -169,13 +169,11 @@ allow inetd_child_t self:fifo_file rw_file_perms;
|
|||||||
allow inetd_child_t self:tcp_socket { listen accept connected_socket_perms };
|
allow inetd_child_t self:tcp_socket { listen accept connected_socket_perms };
|
||||||
|
|
||||||
# for identd
|
# for identd
|
||||||
# cjp: this should probably only be inetd_child rules?
|
|
||||||
allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
|
allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
|
||||||
allow inetd_child_t self:capability { setuid setgid };
|
allow inetd_child_t self:capability { setuid setgid };
|
||||||
allow inetd_child_t self:dir search;
|
allow inetd_child_t self:dir search;
|
||||||
allow inetd_child_t self:{ lnk_file file } { getattr read };
|
allow inetd_child_t self:{ lnk_file file } { getattr read };
|
||||||
#allow inetd_child_t home_root_t:dir search;
|
#allow inetd_child_t home_root_t:dir search;
|
||||||
#can_kerberos(inetd_child_t)
|
|
||||||
|
|
||||||
allow inetd_child_t inetd_child_tmp_t:dir create_dir_perms;
|
allow inetd_child_t inetd_child_tmp_t:dir create_dir_perms;
|
||||||
allow inetd_child_t inetd_child_tmp_t:file create_file_perms;
|
allow inetd_child_t inetd_child_tmp_t:file create_file_perms;
|
||||||
@ -214,6 +212,10 @@ tunable_policy(`run_ssh_inetd',`
|
|||||||
corenet_tcp_bind_ssh_port(inetd_t)
|
corenet_tcp_bind_ssh_port(inetd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`kerberos.te',`
|
||||||
|
kerberos_use(inetd_child_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`nis.te',`
|
optional_policy(`nis.te',`
|
||||||
nis_use_ypbind(inetd_child_t)
|
nis_use_ypbind(inetd_child_t)
|
||||||
')
|
')
|
||||||
|
|||||||
@ -49,10 +49,10 @@ interface(`kerberos_use',`
|
|||||||
corenet_tcp_bind_all_nodes($1)
|
corenet_tcp_bind_all_nodes($1)
|
||||||
corenet_udp_bind_all_nodes($1)
|
corenet_udp_bind_all_nodes($1)
|
||||||
sysnet_read_config($1)
|
sysnet_read_config($1)
|
||||||
|
')
|
||||||
|
|
||||||
tunable_policy(`use_dns',`
|
tunable_policy(`allow_kerberos && use_dns',`
|
||||||
corenet_udp_sendrecv_dns_port($1)
|
corenet_udp_sendrecv_dns_port($1)
|
||||||
')
|
|
||||||
')
|
')
|
||||||
|
|
||||||
files_search_etc($1)
|
files_search_etc($1)
|
||||||
|
|||||||
@ -148,6 +148,10 @@ template(`ssh_per_userdomain_template',`
|
|||||||
corenet_tcp_bind_ssh_port($1_ssh_t)
|
corenet_tcp_bind_ssh_port($1_ssh_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`kerberos.te',`
|
||||||
|
kerberos_use($1_ssh_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`nis.te',`
|
optional_policy(`nis.te',`
|
||||||
nis_use_ypbind($1_ssh_t)
|
nis_use_ypbind($1_ssh_t)
|
||||||
')
|
')
|
||||||
@ -170,8 +174,6 @@ template(`ssh_per_userdomain_template',`
|
|||||||
allow $1_ssh_t var_run_t:dir r_dir_perms;
|
allow $1_ssh_t var_run_t:dir r_dir_perms;
|
||||||
allow $1_ssh_t var_run_t:{ file lnk_file } r_file_perms;
|
allow $1_ssh_t var_run_t:{ file lnk_file } r_file_perms;
|
||||||
|
|
||||||
can_kerberos($1_ssh_t)
|
|
||||||
|
|
||||||
allow $1_ssh_t $1_tmp_t:dir r_dir_perms;
|
allow $1_ssh_t $1_tmp_t:dir r_dir_perms;
|
||||||
|
|
||||||
# Access the users .ssh directory.
|
# Access the users .ssh directory.
|
||||||
|
|||||||
@ -67,7 +67,6 @@ template(`authlogin_per_userdomain_template',`
|
|||||||
|
|
||||||
seutil_read_config($1_chkpwd_t)
|
seutil_read_config($1_chkpwd_t)
|
||||||
|
|
||||||
#can_kerberos($1_chkpwd_t)
|
|
||||||
#can_ldap($1_chkpwd_t)
|
#can_ldap($1_chkpwd_t)
|
||||||
|
|
||||||
# Transition from the user domain to this domain.
|
# Transition from the user domain to this domain.
|
||||||
@ -96,6 +95,10 @@ template(`authlogin_per_userdomain_template',`
|
|||||||
sysnet_read_config($1_chkpwd_t)
|
sysnet_read_config($1_chkpwd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`kerberos.te',`
|
||||||
|
kerberos_use($1_chkpwd_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`nis.te',`
|
optional_policy(`nis.te',`
|
||||||
nis_use_ypbind($1_chkpwd_t)
|
nis_use_ypbind($1_chkpwd_t)
|
||||||
')
|
')
|
||||||
@ -104,7 +107,7 @@ template(`authlogin_per_userdomain_template',`
|
|||||||
seutil_use_newrole_fd($1_chkpwd_t)
|
seutil_use_newrole_fd($1_chkpwd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
') dnl end authlogin_per_userdomain_template
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <desc>
|
## <desc>
|
||||||
@ -188,7 +191,10 @@ interface(`auth_domtrans_chk_passwd',`
|
|||||||
sysnet_read_config($1)
|
sysnet_read_config($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
#can_kerberos($1)
|
optional_policy(`kerberos.te',`
|
||||||
|
kerberos_use($1)
|
||||||
|
')
|
||||||
|
|
||||||
#can_ldap($1)
|
#can_ldap($1)
|
||||||
|
|
||||||
optional_policy(`nis.te',`
|
optional_policy(`nis.te',`
|
||||||
|
|||||||
@ -270,12 +270,15 @@ tunable_policy(`use_dns',`
|
|||||||
sysnet_read_config(system_chkpwd_t)
|
sysnet_read_config(system_chkpwd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`kerberos.te',`
|
||||||
|
kerberos_use(system_chkpwd_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`nis.te',`
|
optional_policy(`nis.te',`
|
||||||
nis_use_ypbind(system_chkpwd_t)
|
nis_use_ypbind(system_chkpwd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
can_kerberos(system_chkpwd_t)
|
|
||||||
can_ldap(system_chkpwd_t)
|
can_ldap(system_chkpwd_t)
|
||||||
') dnl end TODO
|
') dnl end TODO
|
||||||
|
|
||||||
|
|||||||
@ -343,6 +343,10 @@ optional_policy(`hotplug.te',`
|
|||||||
modutils_read_mods_deps(initrc_t)
|
modutils_read_mods_deps(initrc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`kerberos.te',`
|
||||||
|
kerberos_use(initrc_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`lvm.te',`
|
optional_policy(`lvm.te',`
|
||||||
#allow initrc_t lvm_control_t:chr_file unlink;
|
#allow initrc_t lvm_control_t:chr_file unlink;
|
||||||
|
|
||||||
@ -399,11 +403,6 @@ allow initrc_t { file_t default_t }:dir { read search getattr mounton };
|
|||||||
# Set device ownerships/modes.
|
# Set device ownerships/modes.
|
||||||
allow initrc_t xconsole_device_t:fifo_file setattr;
|
allow initrc_t xconsole_device_t:fifo_file setattr;
|
||||||
|
|
||||||
# for lsof in shutdown scripts
|
|
||||||
can_kerberos(initrc_t)
|
|
||||||
dontaudit initrc_t krb5_conf_t:file write;
|
|
||||||
allow initrc_t krb5_conf_t:file r_file_perms;
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# These rules are here to allow init scripts to su
|
# These rules are here to allow init scripts to su
|
||||||
#
|
#
|
||||||
|
|||||||
@ -512,6 +512,10 @@ template(`unpriv_user_template', `
|
|||||||
corenet_tcp_bind_generic_port($1_t)
|
corenet_tcp_bind_generic_port($1_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`kerberos.te',`
|
||||||
|
kerberos_use($1_t)
|
||||||
|
')
|
||||||
|
|
||||||
# for running depmod as part of the kernel packaging process
|
# for running depmod as part of the kernel packaging process
|
||||||
optional_policy(`modutils.te',`
|
optional_policy(`modutils.te',`
|
||||||
modutils_read_module_conf($1_t)
|
modutils_read_module_conf($1_t)
|
||||||
@ -532,8 +536,6 @@ template(`unpriv_user_template', `
|
|||||||
dontaudit $1_t boot_t:lnk_file read;
|
dontaudit $1_t boot_t:lnk_file read;
|
||||||
dontaudit $1_t boot_t:file read;
|
dontaudit $1_t boot_t:file read;
|
||||||
|
|
||||||
can_kerberos($1_t)
|
|
||||||
|
|
||||||
# do not audit read on disk devices
|
# do not audit read on disk devices
|
||||||
dontaudit $1_t { removable_device_t fixed_disk_device_t }:blk_file read;
|
dontaudit $1_t { removable_device_t fixed_disk_device_t }:blk_file read;
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user