## MIT Kerberos admin and KDC ## ##

## This policy supports: ##

##

## Servers: ##

##

##

## Clients: ##

##

##
######################################## ## ## Use kerberos services ## ## ## ## Domain allowed access. ## ## # interface(`kerberos_use',` gen_require(` type krb5_conf_t; type krb5kdc_conf_t; ') files_search_etc($1) allow $1 krb5_conf_t:file { getattr read }; dontaudit $1 krb5_conf_t:file write; dontaudit $1 krb5kdc_conf_t:dir list_dir_perms; dontaudit $1 krb5kdc_conf_t:file rw_file_perms; tunable_policy(`allow_kerberos',` allow $1 self:tcp_socket create_socket_perms; allow $1 self:udp_socket create_socket_perms; corenet_all_recvfrom_unlabeled($1) corenet_all_recvfrom_netlabel($1) corenet_tcp_sendrecv_all_if($1) corenet_udp_sendrecv_all_if($1) corenet_tcp_sendrecv_all_nodes($1) corenet_udp_sendrecv_all_nodes($1) corenet_tcp_sendrecv_kerberos_port($1) corenet_udp_sendrecv_kerberos_port($1) corenet_tcp_bind_all_nodes($1) corenet_udp_bind_all_nodes($1) corenet_tcp_connect_kerberos_port($1) corenet_tcp_connect_ocsp_port($1) corenet_sendrecv_kerberos_client_packets($1) corenet_sendrecv_ocsp_client_packets($1) sysnet_read_config($1) sysnet_dns_name_resolve($1) ') optional_policy(` tunable_policy(`allow_kerberos',` pcscd_stream_connect($1) ') ') ') ######################################## ## ## Read the kerberos configuration file (/etc/krb5.conf). ## ## ## ## Domain allowed access. ## ## ## # interface(`kerberos_read_config',` gen_require(` type krb5_conf_t; ') files_search_etc($1) allow $1 krb5_conf_t:file read_file_perms; ') ######################################## ## ## Do not audit attempts to write the kerberos ## configuration file (/etc/krb5.conf). ## ## ## ## Domain to not audit. ## ## # interface(`kerberos_dontaudit_write_config',` gen_require(` type krb5_conf_t; ') dontaudit $1 krb5_conf_t:file write; ') ######################################## ## ## Read and write the kerberos configuration file (/etc/krb5.conf). ## ## ## ## Domain allowed access. ## ## ## # interface(`kerberos_rw_config',` gen_require(` type krb5_conf_t; ') files_search_etc($1) allow $1 krb5_conf_t:file rw_file_perms; ') ######################################## ## ## Read the kerberos key table. ## ## ## ## Domain allowed access. ## ## ## # interface(`kerberos_read_keytab',` gen_require(` type krb5_keytab_t; ') files_search_etc($1) allow $1 krb5_keytab_t:file read_file_perms; ') ######################################## ## ## Read the kerberos kdc configuration file (/etc/krb5kdc.conf). ## ## ## ## Domain allowed access. ## ## ## # interface(`kerberos_read_kdc_config',` gen_require(` type krb5kdc_conf_t; ') files_search_etc($1) allow $1 krb5kdc_conf_t:file read_file_perms; ')