## MIT Kerberos admin and KDC ## ##

## This policy supports: ##

##

## Servers: ##

##

##

## Clients: ##

##

##
######################################## ## ## Use kerberos services ## ## ## ## Domain allowed access. ## ## # interface(`kerberos_use',` gen_require(` type krb5_conf_t; ') files_search_etc($1) allow $1 krb5_conf_t:file { getattr read }; dontaudit $1 krb5_conf_t:file write; tunable_policy(`allow_kerberos',` allow $1 self:tcp_socket create_socket_perms; allow $1 self:udp_socket create_socket_perms; corenet_tcp_sendrecv_all_if($1) corenet_udp_sendrecv_all_if($1) corenet_raw_sendrecv_all_if($1) corenet_tcp_sendrecv_all_nodes($1) corenet_udp_sendrecv_all_nodes($1) corenet_raw_sendrecv_all_nodes($1) corenet_tcp_sendrecv_kerberos_port($1) corenet_udp_sendrecv_kerberos_port($1) corenet_non_ipsec_sendrecv($1) corenet_tcp_bind_all_nodes($1) corenet_udp_bind_all_nodes($1) corenet_tcp_connect_kerberos_port($1) sysnet_read_config($1) sysnet_dns_name_resolve($1) ') ') ######################################## ## ## Read the kerberos configuration file (/etc/krb5.conf). ## ## ## ## Domain allowed access. ## ## # interface(`kerberos_read_config',` gen_require(` type krb5_conf_t; ') files_search_etc($1) allow $1 krb5_conf_t:file r_file_perms; ') ######################################## ## ## Do not audit attempts to write the kerberos ## configuration file (/etc/krb5.conf). ## ## ## ## Domain to not audit. ## ## # interface(`kerberos_dontaudit_write_config',` gen_require(` type krb5_conf_t; ') dontaudit $1 krb5_conf_t:file write; ') ######################################## ## ## Read and write the kerberos configuration file (/etc/krb5.conf). ## ## ## ## Domain allowed access. ## ## # interface(`kerberos_rw_config',` gen_require(` type krb5_conf_t; ') files_search_etc($1) allow $1 krb5_conf_t:file rw_file_perms; ') ######################################## ## ## Read the kerberos key table. ## ## ## ## Domain allowed access. ## ## # interface(`kerberos_read_keytab',` gen_require(` type krb5_keytab_t; ') files_search_etc($1) allow $1 krb5_keytab_t:file r_file_perms; ')