5b06477c8e
> Eliminate excess avc messages created when using kerberos libraries > > krb5kdc wans to setsched > > Also uses a fifo_file to communicate. > > Needs to search_network_sysctl
255 lines
6.8 KiB
Plaintext
255 lines
6.8 KiB
Plaintext
|
|
policy_module(kerberos,1.3.2)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
type kadmind_t;
|
|
type kadmind_exec_t;
|
|
init_daemon_domain(kadmind_t,kadmind_exec_t)
|
|
|
|
type kadmind_log_t;
|
|
logging_log_file(kadmind_log_t)
|
|
|
|
type kadmind_tmp_t;
|
|
files_tmp_file(kadmind_tmp_t)
|
|
|
|
type kadmind_var_run_t;
|
|
files_pid_file(kadmind_var_run_t)
|
|
|
|
type krb5_conf_t;
|
|
files_type(krb5_conf_t)
|
|
|
|
# types for general configuration files in /etc
|
|
type krb5_keytab_t;
|
|
files_security_file(krb5_keytab_t)
|
|
|
|
# types for KDC configs and principal file(s)
|
|
type krb5kdc_conf_t;
|
|
files_type(krb5kdc_conf_t)
|
|
|
|
# types for KDC principal file(s)
|
|
type krb5kdc_principal_t;
|
|
files_type(krb5kdc_principal_t)
|
|
|
|
type krb5kdc_t;
|
|
type krb5kdc_exec_t;
|
|
init_daemon_domain(krb5kdc_t,krb5kdc_exec_t)
|
|
|
|
type krb5kdc_log_t;
|
|
logging_log_file(krb5kdc_log_t)
|
|
|
|
type krb5kdc_tmp_t;
|
|
files_tmp_file(krb5kdc_tmp_t)
|
|
|
|
type krb5kdc_var_run_t;
|
|
files_pid_file(krb5kdc_var_run_t)
|
|
|
|
########################################
|
|
#
|
|
# kadmind local policy
|
|
#
|
|
|
|
# Use capabilities. Surplus capabilities may be allowed.
|
|
allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice };
|
|
dontaudit kadmind_t self:capability sys_tty_config;
|
|
allow kadmind_t self:process signal_perms;
|
|
allow kadmind_t self:netlink_route_socket r_netlink_socket_perms;
|
|
allow kadmind_t self:unix_dgram_socket { connect create write };
|
|
allow kadmind_t self:tcp_socket connected_stream_socket_perms;
|
|
allow kadmind_t self:udp_socket create_socket_perms;
|
|
|
|
allow kadmind_t kadmind_log_t:file manage_file_perms;
|
|
logging_log_filetrans(kadmind_t,kadmind_log_t,file)
|
|
|
|
allow kadmind_t krb5_conf_t:file read_file_perms;
|
|
dontaudit kadmind_t krb5_conf_t:file write;
|
|
|
|
read_files_pattern(kadmind_t,krb5kdc_conf_t,krb5kdc_conf_t)
|
|
dontaudit kadmind_t krb5kdc_conf_t:file write;
|
|
|
|
allow kadmind_t krb5kdc_principal_t:file { getattr lock read write setattr };
|
|
|
|
can_exec(kadmind_t, kadmind_exec_t)
|
|
|
|
manage_dirs_pattern(kadmind_t,kadmind_tmp_t,kadmind_tmp_t)
|
|
manage_files_pattern(kadmind_t,kadmind_tmp_t,kadmind_tmp_t)
|
|
files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir })
|
|
|
|
manage_files_pattern(kadmind_t,kadmind_var_run_t,kadmind_var_run_t)
|
|
files_pid_filetrans(kadmind_t,kadmind_var_run_t,file)
|
|
|
|
kernel_read_kernel_sysctls(kadmind_t)
|
|
kernel_list_proc(kadmind_t)
|
|
kernel_read_proc_symlinks(kadmind_t)
|
|
|
|
corenet_non_ipsec_sendrecv(kadmind_t)
|
|
corenet_tcp_sendrecv_all_if(kadmind_t)
|
|
corenet_udp_sendrecv_all_if(kadmind_t)
|
|
corenet_tcp_sendrecv_all_nodes(kadmind_t)
|
|
corenet_udp_sendrecv_all_nodes(kadmind_t)
|
|
corenet_tcp_sendrecv_all_ports(kadmind_t)
|
|
corenet_udp_sendrecv_all_ports(kadmind_t)
|
|
corenet_tcp_bind_all_nodes(kadmind_t)
|
|
corenet_udp_bind_all_nodes(kadmind_t)
|
|
corenet_tcp_bind_kerberos_admin_port(kadmind_t)
|
|
corenet_udp_bind_kerberos_admin_port(kadmind_t)
|
|
corenet_tcp_bind_reserved_port(kadmind_t)
|
|
corenet_dontaudit_tcp_bind_all_reserved_ports(kadmind_t)
|
|
corenet_sendrecv_kerberos_admin_server_packets(kadmind_t)
|
|
|
|
dev_read_sysfs(kadmind_t)
|
|
dev_read_rand(kadmind_t)
|
|
dev_read_urand(kadmind_t)
|
|
|
|
fs_getattr_all_fs(kadmind_t)
|
|
fs_search_auto_mountpoints(kadmind_t)
|
|
|
|
term_dontaudit_use_console(kadmind_t)
|
|
|
|
domain_use_interactive_fds(kadmind_t)
|
|
|
|
files_read_etc_files(kadmind_t)
|
|
|
|
init_use_fds(kadmind_t)
|
|
init_use_script_ptys(kadmind_t)
|
|
|
|
libs_use_ld_so(kadmind_t)
|
|
libs_use_shared_libs(kadmind_t)
|
|
|
|
logging_send_syslog_msg(kadmind_t)
|
|
|
|
miscfiles_read_localization(kadmind_t)
|
|
|
|
sysnet_read_config(kadmind_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
|
|
userdom_dontaudit_search_sysadm_home_dirs(kadmind_t)
|
|
|
|
ifdef(`targeted_policy', `
|
|
term_dontaudit_use_unallocated_ttys(kadmind_t)
|
|
term_dontaudit_use_generic_ptys(kadmind_t)
|
|
files_dontaudit_read_root_files(kadmind_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nis_use_ypbind(kadmind_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
seutil_sigchld_newrole(kadmind_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
udev_read_db(kadmind_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Krb5kdc local policy
|
|
#
|
|
|
|
# Use capabilities. Surplus capabilities may be allowed.
|
|
allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
|
|
dontaudit krb5kdc_t self:capability sys_tty_config;
|
|
allow krb5kdc_t self:process { setsched getsched signal_perms };
|
|
allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
|
|
allow krb5kdc_t self:tcp_socket create_stream_socket_perms;
|
|
allow krb5kdc_t self:udp_socket create_socket_perms;
|
|
allow krb5kdc_t self:fifo_file rw_fifo_file_perms;
|
|
|
|
allow krb5kdc_t krb5_conf_t:file read_file_perms;
|
|
dontaudit krb5kdc_t krb5_conf_t:file write;
|
|
|
|
can_exec(krb5kdc_t, krb5kdc_exec_t)
|
|
|
|
read_files_pattern(krb5kdc_t,krb5kdc_conf_t,krb5kdc_conf_t)
|
|
dontaudit krb5kdc_t krb5kdc_conf_t:file write;
|
|
|
|
allow krb5kdc_t krb5kdc_log_t:file manage_file_perms;
|
|
logging_log_filetrans(krb5kdc_t,krb5kdc_log_t,file)
|
|
|
|
allow krb5kdc_t krb5kdc_principal_t:file read_file_perms;
|
|
dontaudit krb5kdc_t krb5kdc_principal_t:file write;
|
|
|
|
manage_dirs_pattern(krb5kdc_t,krb5kdc_tmp_t,krb5kdc_tmp_t)
|
|
manage_files_pattern(krb5kdc_t,krb5kdc_tmp_t,krb5kdc_tmp_t)
|
|
files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir })
|
|
|
|
manage_files_pattern(krb5kdc_t,krb5kdc_var_run_t,krb5kdc_var_run_t)
|
|
files_pid_filetrans(krb5kdc_t,krb5kdc_var_run_t,file)
|
|
|
|
kernel_read_system_state(krb5kdc_t)
|
|
kernel_read_kernel_sysctls(krb5kdc_t)
|
|
kernel_list_proc(krb5kdc_t)
|
|
kernel_read_proc_symlinks(krb5kdc_t)
|
|
kernel_read_network_state(krb5kdc_t)
|
|
kernel_search_network_sysctl(krb5kdc_t)
|
|
|
|
corecmd_exec_sbin(krb5kdc_t)
|
|
corecmd_exec_bin(krb5kdc_t)
|
|
|
|
corenet_non_ipsec_sendrecv(krb5kdc_t)
|
|
corenet_tcp_sendrecv_all_if(krb5kdc_t)
|
|
corenet_udp_sendrecv_all_if(krb5kdc_t)
|
|
corenet_tcp_sendrecv_all_nodes(krb5kdc_t)
|
|
corenet_udp_sendrecv_all_nodes(krb5kdc_t)
|
|
corenet_tcp_sendrecv_all_ports(krb5kdc_t)
|
|
corenet_udp_sendrecv_all_ports(krb5kdc_t)
|
|
corenet_tcp_bind_all_nodes(krb5kdc_t)
|
|
corenet_udp_bind_all_nodes(krb5kdc_t)
|
|
corenet_tcp_bind_kerberos_port(krb5kdc_t)
|
|
corenet_udp_bind_kerberos_port(krb5kdc_t)
|
|
corenet_tcp_connect_ocsp_port(krb5kdc_t)
|
|
corenet_sendrecv_kerberos_server_packets(krb5kdc_t)
|
|
corenet_sendrecv_ocsp_client_packets(krb5kdc_t)
|
|
|
|
dev_read_sysfs(krb5kdc_t)
|
|
dev_read_urand(krb5kdc_t)
|
|
|
|
fs_getattr_all_fs(krb5kdc_t)
|
|
fs_search_auto_mountpoints(krb5kdc_t)
|
|
|
|
term_dontaudit_use_console(krb5kdc_t)
|
|
|
|
domain_use_interactive_fds(krb5kdc_t)
|
|
|
|
files_read_etc_files(krb5kdc_t)
|
|
files_read_usr_symlinks(krb5kdc_t)
|
|
files_read_var_files(krb5kdc_t)
|
|
|
|
init_use_fds(krb5kdc_t)
|
|
init_use_script_ptys(krb5kdc_t)
|
|
|
|
libs_use_ld_so(krb5kdc_t)
|
|
libs_use_shared_libs(krb5kdc_t)
|
|
|
|
logging_send_syslog_msg(krb5kdc_t)
|
|
|
|
miscfiles_read_localization(krb5kdc_t)
|
|
|
|
sysnet_read_config(krb5kdc_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
|
|
userdom_dontaudit_search_sysadm_home_dirs(krb5kdc_t)
|
|
|
|
ifdef(`targeted_policy', `
|
|
term_dontaudit_use_unallocated_ttys(krb5kdc_t)
|
|
term_dontaudit_use_generic_ptys(krb5kdc_t)
|
|
files_dontaudit_read_root_files(krb5kdc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nis_use_ypbind(krb5kdc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
seutil_sigchld_newrole(krb5kdc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
udev_read_db(krb5kdc_t)
|
|
')
|