[people/stevee/selinux-policy.git] / refpolicy / policy / modules / services / kerberos.if

## <summary>MIT Kerberos admin and KDC</summary>
## <desc>
##	<p>
##	This policy supports:
##	</p>
##	<p>
##	Servers:
##	<ul>
##		<li>kadmind</li>
##		<li>krb5kdc</li>
##	</ul>
##	</p>
##	<p>
##	Clients:
##	<ul>
##		<li>kinit</li>
##		<li>kdestroy</li>
##		<li>klist</li>
##		<li>ksu (incomplete)</li>
##	</ul>
##	</p>
## </desc>

########################################
## <summary>
##	Use kerberos services
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`kerberos_use',`
	gen_require(`
		type krb5_conf_t;
	')

	files_search_etc($1)
	allow $1 krb5_conf_t:file { getattr read };
	dontaudit $1 krb5_conf_t:file write;

	tunable_policy(`allow_kerberos',`
		allow $1 self:tcp_socket create_socket_perms;
		allow $1 self:udp_socket create_socket_perms;
		corenet_tcp_sendrecv_all_if($1)
		corenet_udp_sendrecv_all_if($1)
		corenet_raw_sendrecv_all_if($1)
		corenet_tcp_sendrecv_all_nodes($1)
		corenet_udp_sendrecv_all_nodes($1)
		corenet_raw_sendrecv_all_nodes($1)
		corenet_tcp_sendrecv_kerberos_port($1)
		corenet_udp_sendrecv_kerberos_port($1)
		corenet_non_ipsec_sendrecv($1)
		corenet_tcp_bind_all_nodes($1)
		corenet_udp_bind_all_nodes($1)
		corenet_tcp_connect_kerberos_port($1)
		sysnet_read_config($1)
		sysnet_dns_name_resolve($1)
	')
')

########################################
## <summary>
##	Read the kerberos configuration file (/etc/krb5.conf).
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`kerberos_read_config',`
	gen_require(`
		type krb5_conf_t;
	')

	files_search_etc($1)
	allow $1 krb5_conf_t:file r_file_perms;
')

########################################
## <summary>
##	Do not audit attempts to write the kerberos
##	configuration file (/etc/krb5.conf).
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`kerberos_dontaudit_write_config',`
	gen_require(`
		type krb5_conf_t;
	')

	dontaudit $1 krb5_conf_t:file write;
')

########################################
## <summary>
##	Read and write the kerberos configuration file (/etc/krb5.conf).
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`kerberos_rw_config',`
	gen_require(`
		type krb5_conf_t;
	')

	files_search_etc($1)
	allow $1 krb5_conf_t:file rw_file_perms;
')

########################################
## <summary>
##	Read the kerberos key table.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`kerberos_read_keytab',`
	gen_require(`
		type krb5_keytab_t;
	')

	files_search_etc($1)
	allow $1 krb5_keytab_t:file r_file_perms;
')
Commit	Line	Data
5e1ed490 CP	1	## <summary>MIT Kerberos admin and KDC</summary>
	2	## <desc>
	3	## <p>
	4	## This policy supports:
	5	## </p>
	6	## <p>
	7	## Servers:
5e1ed490 CP	8	## <ul>
	9	## <li>kadmind</li>
	10	## <li>krb5kdc</li>
	11	## </ul>
65c86137	12	## </p>
5e1ed490 CP	13	## <p>
5e1ed490 CP	14	## Clients:
5e1ed490 CP	15	## <ul>
	16	## <li>kinit</li>
	17	## <li>kdestroy</li>
	18	## <li>klist</li>
	19	## <li>ksu (incomplete)</li>
	20	## </ul>
65c86137	21	## </p>
5e1ed490 CP	22	## </desc>
	23
	24	########################################
	25	## <summary>
	26	## Use kerberos services
	27	## </summary>
	28	## <param name="domain">
885b83ec	29	## <summary>
5e1ed490	30	## Domain allowed access.
885b83ec	31	## </summary>
5e1ed490 CP	32	## </param>
	33	#
	34	interface(`kerberos_use',`
	35	gen_require(`
	36	type krb5_conf_t;
5e1ed490 CP	37	')
5e1ed490 CP	38
6e61566d CP	39	files_search_etc($1)
	40	allow $1 krb5_conf_t:file { getattr read };
	41	dontaudit $1 krb5_conf_t:file write;
	42
5e1ed490	43	tunable_policy(`allow_kerberos',`
6e61566d CP	44	allow $1 self:tcp_socket create_socket_perms;
6e61566d CP	45	allow $1 self:udp_socket create_socket_perms;
5e1ed490 CP	46	corenet_tcp_sendrecv_all_if($1)
	47	corenet_udp_sendrecv_all_if($1)
	48	corenet_raw_sendrecv_all_if($1)
	49	corenet_tcp_sendrecv_all_nodes($1)
	50	corenet_udp_sendrecv_all_nodes($1)
	51	corenet_raw_sendrecv_all_nodes($1)
	52	corenet_tcp_sendrecv_kerberos_port($1)
	53	corenet_udp_sendrecv_kerberos_port($1)
bd70373d	54	corenet_non_ipsec_sendrecv($1)
5e1ed490 CP	55	corenet_tcp_bind_all_nodes($1)
5e1ed490 CP	56	corenet_udp_bind_all_nodes($1)
cff75c90	57	corenet_tcp_connect_kerberos_port($1)
5e1ed490	58	sysnet_read_config($1)
98a8ead4	59	sysnet_dns_name_resolve($1)
5e1ed490	60	')
5e1ed490 CP	61	')
	62
	63	########################################
	64	## <summary>
	65	## Read the kerberos configuration file (/etc/krb5.conf).
	66	## </summary>
	67	## <param name="domain">
885b83ec	68	## <summary>
5e1ed490	69	## Domain allowed access.
885b83ec	70	## </summary>
5e1ed490 CP	71	## </param>
5e1ed490 CP	72	#
57a96cbd	73	interface(`kerberos_read_config',`
5e1ed490 CP	74	gen_require(`
5e1ed490 CP	75	type krb5_conf_t;
5e1ed490 CP	76	')
	77
	78	files_search_etc($1)
	79	allow $1 krb5_conf_t:file r_file_perms;
	80	')
57a96cbd	81
93070cba CP	82	########################################
	83	## <summary>
	84	## Do not audit attempts to write the kerberos
	85	## configuration file (/etc/krb5.conf).
	86	## </summary>
	87	## <param name="domain">
885b83ec	88	## <summary>
93070cba	89	## Domain to not audit.
885b83ec	90	## </summary>
93070cba CP	91	## </param>
	92	#
	93	interface(`kerberos_dontaudit_write_config',`
	94	gen_require(`
	95	type krb5_conf_t;
	96	')
	97
	98	dontaudit $1 krb5_conf_t:file write;
	99	')
	100
57a96cbd CP	101	########################################
	102	## <summary>
	103	## Read and write the kerberos configuration file (/etc/krb5.conf).
	104	## </summary>
	105	## <param name="domain">
885b83ec	106	## <summary>
57a96cbd	107	## Domain allowed access.
885b83ec	108	## </summary>
57a96cbd CP	109	## </param>
	110	#
	111	interface(`kerberos_rw_config',`
	112	gen_require(`
	113	type krb5_conf_t;
57a96cbd CP	114	')
	115
	116	files_search_etc($1)
	117	allow $1 krb5_conf_t:file rw_file_perms;
	118	')
4fd5201a CP	119
	120	########################################
	121	## <summary>
	122	## Read the kerberos key table.
	123	## </summary>
	124	## <param name="domain">
885b83ec	125	## <summary>
4fd5201a	126	## Domain allowed access.
885b83ec	127	## </summary>
4fd5201a CP	128	## </param>
	129	#
	130	interface(`kerberos_read_keytab',`
	131	gen_require(`
	132	type krb5_keytab_t;
	133	')
	134
	135	files_search_etc($1)
	136	allow $1 krb5_keytab_t:file r_file_perms;
	137	')