#DESC Kerberos5 - MIT Kerberos5
# supports krb5kdc and kadmind daemons
# kinit, kdestroy, klist clients
# ksu support not complete
#
# includes rules for OpenSSH daemon compiled with both
# kerberos5 and SELinux support
#
# Not supported : telnetd, ftpd, kprop/kpropd daemons
#
# Author:   Kerry Thompson <kerry@crypt.gen.nz>
# Modified by Colin Walters <walters@redhat.com>
# 

#################################
#
# Rules for the krb5kdc_t,kadmind_t domains.
#
daemon_domain(krb5kdc)
daemon_domain(kadmind)

can_exec(krb5kdc_t, krb5kdc_exec_t)
can_exec(kadmind_t, kadmind_exec_t)

# types for general configuration files in /etc
type krb5_keytab_t, file_type, sysadmfile, secure_file_type;

# types for KDC configs and principal file(s)
type krb5kdc_conf_t, file_type, sysadmfile;
type krb5kdc_principal_t, file_type, sysadmfile;

# Use capabilities. Surplus capabilities may be allowed.
allow krb5kdc_t self:capability { setuid setgid net_admin net_bind_service chown fowner dac_override sys_nice };
allow kadmind_t self:capability { setuid setgid net_bind_service chown fowner dac_override sys_nice };

# krb5kdc and kadmind can use network
can_network_server( { krb5kdc_t kadmind_t } )
can_ypbind( { krb5kdc_t kadmind_t } )

# allow UDP transfer to/from any program
can_udp_send(kerberos_port_t, krb5kdc_t)
can_udp_send(krb5kdc_t, kerberos_port_t)
can_tcp_connect(kerberos_port_t, krb5kdc_t)
can_tcp_connect(kerberos_admin_port_t, kadmind_t)

# Bind to the kerberos, kerberos-adm ports.
allow krb5kdc_t kerberos_port_t:{ udp_socket tcp_socket } name_bind;
allow kadmind_t kerberos_admin_port_t:{ udp_socket tcp_socket } name_bind;
allow kadmind_t reserved_port_t:tcp_socket name_bind;
dontaudit kadmind_t reserved_port_type:tcp_socket name_bind;

#
# Rules for Kerberos5 KDC daemon
allow krb5kdc_t self:unix_dgram_socket create_socket_perms;
allow krb5kdc_t self:unix_stream_socket create_socket_perms;
allow kadmind_t  self:unix_stream_socket create_socket_perms;
allow krb5kdc_t krb5kdc_conf_t:dir search;
allow krb5kdc_t krb5kdc_conf_t:file r_file_perms;
allow krb5kdc_t krb5kdc_principal_t:file r_file_perms;
dontaudit krb5kdc_t krb5kdc_principal_t:file write;
allow krb5kdc_t locale_t:file { getattr read };
dontaudit krb5kdc_t krb5kdc_conf_t:file write;
allow { kadmind_t krb5kdc_t } etc_t:dir { getattr search };
allow { kadmind_t krb5kdc_t } etc_t:file { getattr read };
allow { kadmind_t krb5kdc_t } krb5_conf_t:file r_file_perms;
dontaudit { kadmind_t krb5kdc_t } krb5_conf_t:file write;
tmp_domain(krb5kdc)
log_domain(krb5kdc)
allow { kadmind_t krb5kdc_t } urandom_device_t:chr_file { getattr read };
allow kadmind_t random_device_t:chr_file { getattr read };
allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
allow kadmind_t self:netlink_route_socket r_netlink_socket_perms;
allow krb5kdc_t proc_t:dir r_dir_perms;
allow krb5kdc_t proc_t:file { getattr read };

#
# Rules for Kerberos5 Kadmin daemon
allow kadmind_t self:unix_dgram_socket { connect create write };
allow kadmind_t krb5kdc_conf_t:dir search;
allow kadmind_t krb5kdc_conf_t:file r_file_perms;
allow kadmind_t krb5kdc_principal_t:file { getattr lock read write setattr };
read_locale(kadmind_t)
dontaudit kadmind_t krb5kdc_conf_t:file write;
tmp_domain(kadmind)
log_domain(kadmind)

#
# Allow user programs to talk to KDC
allow krb5kdc_t userdomain:udp_socket recvfrom;
allow userdomain krb5kdc_t:udp_socket recvfrom;
allow initrc_t krb5_conf_t:file ioctl;