## MIT Kerberos admin and KDC
##
##
## This policy supports:
##
##
## Servers:
##
##
##
## Clients:
##
## - kinit
## - kdestroy
## - klist
## - ksu (incomplete)
##
##
##
########################################
##
## Use kerberos services
##
##
##
## Domain allowed access.
##
##
#
interface(`kerberos_use',`
gen_require(`
type krb5_conf_t;
')
files_search_etc($1)
allow $1 krb5_conf_t:file { getattr read };
dontaudit $1 krb5_conf_t:file write;
tunable_policy(`allow_kerberos',`
allow $1 self:tcp_socket create_socket_perms;
allow $1 self:udp_socket create_socket_perms;
corenet_non_ipsec_sendrecv($1)
corenet_tcp_sendrecv_all_if($1)
corenet_udp_sendrecv_all_if($1)
corenet_tcp_sendrecv_all_nodes($1)
corenet_udp_sendrecv_all_nodes($1)
corenet_tcp_sendrecv_kerberos_port($1)
corenet_udp_sendrecv_kerberos_port($1)
corenet_tcp_bind_all_nodes($1)
corenet_udp_bind_all_nodes($1)
corenet_tcp_connect_kerberos_port($1)
corenet_sendrecv_kerberos_client_packets($1)
sysnet_read_config($1)
sysnet_dns_name_resolve($1)
')
')
########################################
##
## Read the kerberos configuration file (/etc/krb5.conf).
##
##
##
## Domain allowed access.
##
##
##
#
interface(`kerberos_read_config',`
gen_require(`
type krb5_conf_t;
')
files_search_etc($1)
allow $1 krb5_conf_t:file r_file_perms;
')
########################################
##
## Do not audit attempts to write the kerberos
## configuration file (/etc/krb5.conf).
##
##
##
## Domain to not audit.
##
##
#
interface(`kerberos_dontaudit_write_config',`
gen_require(`
type krb5_conf_t;
')
dontaudit $1 krb5_conf_t:file write;
')
########################################
##
## Read and write the kerberos configuration file (/etc/krb5.conf).
##
##
##
## Domain allowed access.
##
##
##
#
interface(`kerberos_rw_config',`
gen_require(`
type krb5_conf_t;
')
files_search_etc($1)
allow $1 krb5_conf_t:file rw_file_perms;
')
########################################
##
## Read the kerberos key table.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`kerberos_read_keytab',`
gen_require(`
type krb5_keytab_t;
')
files_search_etc($1)
allow $1 krb5_keytab_t:file r_file_perms;
')