from dan:

kadmind trys to setattr on krb5kdc file. Just a library checking access.
2007-04-10 17:20:07 +00:00 · 2007-04-10 17:20:07 +00:00 · ebc1e8be97
commit ebc1e8be97
parent 9af48eef6e
3 changed files with 25 additions and 3 deletions
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@ -1,5 +1,5 @@

-policy_module(apache,1.5.6)
+policy_module(apache,1.5.7)

 #
 # NOTES: 
@ -468,6 +468,7 @@ optional_policy(`

 optional_policy(`
 	kerberos_use(httpd_t)
+	kerberos_read_kdc_config(httpd_t)
 ')

 optional_policy(`
--- a/policy/modules/services/kerberos.if
+++ b/policy/modules/services/kerberos.if
@ -150,3 +150,24 @@ interface(`kerberos_read_keytab',`
 	files_search_etc($1)
 	allow $1 krb5_keytab_t:file read_file_perms;
 ')
+
+########################################
+## <summary>
+##	Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kerberos_read_kdc_config',`
+	gen_require(`
+		type krb5kdc_conf_t;
+	')
+
+	files_search_etc($1)
+	allow $1 krb5kdc_conf_t:file read_file_perms;
+
+')
--- a/policy/modules/services/kerberos.te
+++ b/policy/modules/services/kerberos.te
@ -1,5 +1,5 @@

-policy_module(kerberos,1.3.4)
+policy_module(kerberos,1.3.5)

 ########################################
 #
@ -75,7 +75,7 @@ allow kadmind_t krb5_conf_t:file read_file_perms;
 dontaudit kadmind_t krb5_conf_t:file write;

 read_files_pattern(kadmind_t,krb5kdc_conf_t,krb5kdc_conf_t)
-dontaudit kadmind_t krb5kdc_conf_t:file write;
+dontaudit kadmind_t krb5kdc_conf_t:file { write setattr };

 allow kadmind_t krb5kdc_principal_t:file { getattr lock read write setattr };