+- Patch for misc fixes to kerberos from Dan Walsh.
- Patch to start deprecating usercanread attribute from Ryan Bradetich.
- Add dccp_socket object class which was added in kernel 2.6.20.
- Patch for prelink relabefrom it's temp files from Dan Walsh.
allow $1 krb5_conf_t:file { getattr read };
dontaudit $1 krb5_conf_t:file write;
dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
- dontaudit $1 krb5kdc_conf_t:file read_file_perms;
+ dontaudit $1 krb5kdc_conf_t:file rw_file_perms;
tunable_policy(`allow_kerberos',`
allow $1 self:tcp_socket create_socket_perms;
-policy_module(kerberos,1.3.1)
+policy_module(kerberos,1.3.2)
########################################
#
# Use capabilities. Surplus capabilities may be allowed.
allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
dontaudit krb5kdc_t self:capability sys_tty_config;
-allow krb5kdc_t self:process { getsched signal_perms };
+allow krb5kdc_t self:process { setsched getsched signal_perms };
allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
allow krb5kdc_t self:tcp_socket create_stream_socket_perms;
allow krb5kdc_t self:udp_socket create_socket_perms;
+allow krb5kdc_t self:fifo_file rw_fifo_file_perms;
allow krb5kdc_t krb5_conf_t:file read_file_perms;
dontaudit krb5kdc_t krb5_conf_t:file write;
kernel_list_proc(krb5kdc_t)
kernel_read_proc_symlinks(krb5kdc_t)
kernel_read_network_state(krb5kdc_t)
+kernel_search_network_sysctl(krb5kdc_t)
corecmd_exec_sbin(krb5kdc_t)
corecmd_exec_bin(krb5kdc_t)