## <summary>MIT Kerberos admin and KDC</summary> ## <desc> ## <p> ## This policy supports: ## </p> ## <p> ## Servers: ## <ul> ## <li>kadmind</li> ## <li>krb5kdc</li> ## </ul> ## </p> ## <p> ## Clients: ## <ul> ## <li>kinit</li> ## <li>kdestroy</li> ## <li>klist</li> ## <li>ksu (incomplete)</li> ## </ul> ## </p> ## </desc> ######################################## ## <summary> ## Use kerberos services ## </summary> ## <param name="domain"> ## Domain allowed access. ## </param> # interface(`kerberos_use',` gen_require(` type krb5_conf_t; ') files_search_etc($1) allow $1 krb5_conf_t:file { getattr read }; dontaudit $1 krb5_conf_t:file write; tunable_policy(`allow_kerberos',` allow $1 self:tcp_socket create_socket_perms; allow $1 self:udp_socket create_socket_perms; corenet_tcp_sendrecv_all_if($1) corenet_udp_sendrecv_all_if($1) corenet_raw_sendrecv_all_if($1) corenet_tcp_sendrecv_all_nodes($1) corenet_udp_sendrecv_all_nodes($1) corenet_raw_sendrecv_all_nodes($1) corenet_tcp_sendrecv_kerberos_port($1) corenet_udp_sendrecv_kerberos_port($1) corenet_non_ipsec_sendrecv($1) corenet_tcp_bind_all_nodes($1) corenet_udp_bind_all_nodes($1) corenet_tcp_connect_kerberos_port($1) sysnet_read_config($1) sysnet_dns_name_resolve($1) ') ') ######################################## ## <summary> ## Read the kerberos configuration file (/etc/krb5.conf). ## </summary> ## <param name="domain"> ## Domain allowed access. ## </param> # interface(`kerberos_read_config',` gen_require(` type krb5_conf_t; ') files_search_etc($1) allow $1 krb5_conf_t:file r_file_perms; ') ######################################## ## <summary> ## Do not audit attempts to write the kerberos ## configuration file (/etc/krb5.conf). ## </summary> ## <param name="domain"> ## Domain to not audit. ## </param> # interface(`kerberos_dontaudit_write_config',` gen_require(` type krb5_conf_t; ') dontaudit $1 krb5_conf_t:file write; ') ######################################## ## <summary> ## Read and write the kerberos configuration file (/etc/krb5.conf). ## </summary> ## <param name="domain"> ## Domain allowed access. ## </param> # interface(`kerberos_rw_config',` gen_require(` type krb5_conf_t; ') files_search_etc($1) allow $1 krb5_conf_t:file rw_file_perms; ') ######################################## ## <summary> ## Read the kerberos key table. ## </summary> ## <param name="domain"> ## Domain allowed access. ## </param> # interface(`kerberos_read_keytab',` gen_require(` type krb5_keytab_t; ') files_search_etc($1) allow $1 krb5_keytab_t:file r_file_perms; ')