from dan:

kadmind trys to setattr on krb5kdc file.  Just a library checking access.
This commit is contained in:
Chris PeBenito 2007-04-10 17:20:07 +00:00
parent 9af48eef6e
commit ebc1e8be97
3 changed files with 25 additions and 3 deletions

View File

@ -1,5 +1,5 @@
policy_module(apache,1.5.6) policy_module(apache,1.5.7)
# #
# NOTES: # NOTES:
@ -468,6 +468,7 @@ optional_policy(`
optional_policy(` optional_policy(`
kerberos_use(httpd_t) kerberos_use(httpd_t)
kerberos_read_kdc_config(httpd_t)
') ')
optional_policy(` optional_policy(`

View File

@ -150,3 +150,24 @@ interface(`kerberos_read_keytab',`
files_search_etc($1) files_search_etc($1)
allow $1 krb5_keytab_t:file read_file_perms; allow $1 krb5_keytab_t:file read_file_perms;
') ')
########################################
## <summary>
## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`kerberos_read_kdc_config',`
gen_require(`
type krb5kdc_conf_t;
')
files_search_etc($1)
allow $1 krb5kdc_conf_t:file read_file_perms;
')

View File

@ -1,5 +1,5 @@
policy_module(kerberos,1.3.4) policy_module(kerberos,1.3.5)
######################################## ########################################
# #
@ -75,7 +75,7 @@ allow kadmind_t krb5_conf_t:file read_file_perms;
dontaudit kadmind_t krb5_conf_t:file write; dontaudit kadmind_t krb5_conf_t:file write;
read_files_pattern(kadmind_t,krb5kdc_conf_t,krb5kdc_conf_t) read_files_pattern(kadmind_t,krb5kdc_conf_t,krb5kdc_conf_t)
dontaudit kadmind_t krb5kdc_conf_t:file write; dontaudit kadmind_t krb5kdc_conf_t:file { write setattr };
allow kadmind_t krb5kdc_principal_t:file { getattr lock read write setattr }; allow kadmind_t krb5kdc_principal_t:file { getattr lock read write setattr };