from dan:
kadmind trys to setattr on krb5kdc file. Just a library checking access.
This commit is contained in:
parent
9af48eef6e
commit
ebc1e8be97
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(apache,1.5.6)
|
policy_module(apache,1.5.7)
|
||||||
|
|
||||||
#
|
#
|
||||||
# NOTES:
|
# NOTES:
|
||||||
@ -468,6 +468,7 @@ optional_policy(`
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
kerberos_use(httpd_t)
|
kerberos_use(httpd_t)
|
||||||
|
kerberos_read_kdc_config(httpd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -150,3 +150,24 @@ interface(`kerberos_read_keytab',`
|
|||||||
files_search_etc($1)
|
files_search_etc($1)
|
||||||
allow $1 krb5_keytab_t:file read_file_perms;
|
allow $1 krb5_keytab_t:file read_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
|
#
|
||||||
|
interface(`kerberos_read_kdc_config',`
|
||||||
|
gen_require(`
|
||||||
|
type krb5kdc_conf_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_etc($1)
|
||||||
|
allow $1 krb5kdc_conf_t:file read_file_perms;
|
||||||
|
|
||||||
|
')
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(kerberos,1.3.4)
|
policy_module(kerberos,1.3.5)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -75,7 +75,7 @@ allow kadmind_t krb5_conf_t:file read_file_perms;
|
|||||||
dontaudit kadmind_t krb5_conf_t:file write;
|
dontaudit kadmind_t krb5_conf_t:file write;
|
||||||
|
|
||||||
read_files_pattern(kadmind_t,krb5kdc_conf_t,krb5kdc_conf_t)
|
read_files_pattern(kadmind_t,krb5kdc_conf_t,krb5kdc_conf_t)
|
||||||
dontaudit kadmind_t krb5kdc_conf_t:file write;
|
dontaudit kadmind_t krb5kdc_conf_t:file { write setattr };
|
||||||
|
|
||||||
allow kadmind_t krb5kdc_principal_t:file { getattr lock read write setattr };
|
allow kadmind_t krb5kdc_principal_t:file { getattr lock read write setattr };
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user