selinux-policy/policy/modules/services/kerberos.if

## <summary>MIT Kerberos admin and KDC</summary>
## <desc>
##	<p>
##	This policy supports:
##	</p>
##	<p>
##	Servers:
##	<ul>
##		<li>kadmind</li>
##		<li>krb5kdc</li>
##	</ul>
##	</p>
##	<p>
##	Clients:
##	<ul>
##		<li>kinit</li>
##		<li>kdestroy</li>
##		<li>klist</li>
##		<li>ksu (incomplete)</li>
##	</ul>
##	</p>
## </desc>

########################################
## <summary>
##	Use kerberos services
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`kerberos_use',`
	gen_require(`
		type krb5_conf_t;
		type krb5kdc_conf_t;
	')

	files_search_etc($1)
	allow $1 krb5_conf_t:file { getattr read };
	dontaudit $1 krb5_conf_t:file write;
	dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
	dontaudit $1 krb5kdc_conf_t:file rw_file_perms;

	tunable_policy(`allow_kerberos',`
		allow $1 self:tcp_socket create_socket_perms;
		allow $1 self:udp_socket create_socket_perms;

		corenet_all_recvfrom_unlabeled($1)
		corenet_all_recvfrom_netlabel($1)
		corenet_tcp_sendrecv_all_if($1)
		corenet_udp_sendrecv_all_if($1)
		corenet_tcp_sendrecv_all_nodes($1)
		corenet_udp_sendrecv_all_nodes($1)
		corenet_tcp_sendrecv_kerberos_port($1)
		corenet_udp_sendrecv_kerberos_port($1)
		corenet_tcp_bind_all_nodes($1)
		corenet_udp_bind_all_nodes($1)
		corenet_tcp_connect_kerberos_port($1)
		corenet_tcp_connect_ocsp_port($1)
		corenet_sendrecv_kerberos_client_packets($1)
		corenet_sendrecv_ocsp_client_packets($1)

		sysnet_read_config($1)
		sysnet_dns_name_resolve($1)
	')

	optional_policy(`
		tunable_policy(`allow_kerberos',`
			pcscd_stream_connect($1)
		')
	')
')

########################################
## <summary>
##	Read the kerberos configuration file (/etc/krb5.conf).
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`kerberos_read_config',`
	gen_require(`
		type krb5_conf_t;
	')

	files_search_etc($1)
	allow $1 krb5_conf_t:file read_file_perms;
')

########################################
## <summary>
##	Do not audit attempts to write the kerberos
##	configuration file (/etc/krb5.conf).
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`kerberos_dontaudit_write_config',`
	gen_require(`
		type krb5_conf_t;
	')

	dontaudit $1 krb5_conf_t:file write;
')

########################################
## <summary>
##	Read and write the kerberos configuration file (/etc/krb5.conf).
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`kerberos_rw_config',`
	gen_require(`
		type krb5_conf_t;
	')

	files_search_etc($1)
	allow $1 krb5_conf_t:file rw_file_perms;
')

########################################
## <summary>
##	Read the kerberos key table.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`kerberos_read_keytab',`
	gen_require(`
		type krb5_keytab_t;
	')

	files_search_etc($1)
	allow $1 krb5_keytab_t:file read_file_perms;
')

########################################
## <summary>
##	Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`kerberos_read_kdc_config',`
	gen_require(`
		type krb5kdc_conf_t;
	')

	files_search_etc($1)
	allow $1 krb5kdc_conf_t:file read_file_perms;

')