]>
Commit | Line | Data |
---|---|---|
5e1ed490 CP |
1 | ## <summary>MIT Kerberos admin and KDC</summary> |
2 | ## <desc> | |
3 | ## <p> | |
4 | ## This policy supports: | |
5 | ## </p> | |
6 | ## <p> | |
7 | ## Servers: | |
5e1ed490 CP |
8 | ## <ul> |
9 | ## <li>kadmind</li> | |
10 | ## <li>krb5kdc</li> | |
11 | ## </ul> | |
65c86137 | 12 | ## </p> |
5e1ed490 CP |
13 | ## <p> |
14 | ## Clients: | |
5e1ed490 CP |
15 | ## <ul> |
16 | ## <li>kinit</li> | |
17 | ## <li>kdestroy</li> | |
18 | ## <li>klist</li> | |
19 | ## <li>ksu (incomplete)</li> | |
20 | ## </ul> | |
65c86137 | 21 | ## </p> |
5e1ed490 CP |
22 | ## </desc> |
23 | ||
24 | ######################################## | |
25 | ## <summary> | |
26 | ## Use kerberos services | |
27 | ## </summary> | |
28 | ## <param name="domain"> | |
885b83ec | 29 | ## <summary> |
5e1ed490 | 30 | ## Domain allowed access. |
885b83ec | 31 | ## </summary> |
5e1ed490 CP |
32 | ## </param> |
33 | # | |
34 | interface(`kerberos_use',` | |
35 | gen_require(` | |
36 | type krb5_conf_t; | |
5e1ed490 CP |
37 | ') |
38 | ||
6e61566d CP |
39 | files_search_etc($1) |
40 | allow $1 krb5_conf_t:file { getattr read }; | |
41 | dontaudit $1 krb5_conf_t:file write; | |
42 | ||
5e1ed490 | 43 | tunable_policy(`allow_kerberos',` |
6e61566d CP |
44 | allow $1 self:tcp_socket create_socket_perms; |
45 | allow $1 self:udp_socket create_socket_perms; | |
5e1ed490 CP |
46 | corenet_tcp_sendrecv_all_if($1) |
47 | corenet_udp_sendrecv_all_if($1) | |
48 | corenet_raw_sendrecv_all_if($1) | |
49 | corenet_tcp_sendrecv_all_nodes($1) | |
50 | corenet_udp_sendrecv_all_nodes($1) | |
51 | corenet_raw_sendrecv_all_nodes($1) | |
52 | corenet_tcp_sendrecv_kerberos_port($1) | |
53 | corenet_udp_sendrecv_kerberos_port($1) | |
bd70373d | 54 | corenet_non_ipsec_sendrecv($1) |
5e1ed490 CP |
55 | corenet_tcp_bind_all_nodes($1) |
56 | corenet_udp_bind_all_nodes($1) | |
cff75c90 | 57 | corenet_tcp_connect_kerberos_port($1) |
5e1ed490 | 58 | sysnet_read_config($1) |
98a8ead4 | 59 | sysnet_dns_name_resolve($1) |
5e1ed490 | 60 | ') |
5e1ed490 CP |
61 | ') |
62 | ||
63 | ######################################## | |
64 | ## <summary> | |
65 | ## Read the kerberos configuration file (/etc/krb5.conf). | |
66 | ## </summary> | |
67 | ## <param name="domain"> | |
885b83ec | 68 | ## <summary> |
5e1ed490 | 69 | ## Domain allowed access. |
885b83ec | 70 | ## </summary> |
5e1ed490 CP |
71 | ## </param> |
72 | # | |
57a96cbd | 73 | interface(`kerberos_read_config',` |
5e1ed490 CP |
74 | gen_require(` |
75 | type krb5_conf_t; | |
5e1ed490 CP |
76 | ') |
77 | ||
78 | files_search_etc($1) | |
79 | allow $1 krb5_conf_t:file r_file_perms; | |
80 | ') | |
57a96cbd | 81 | |
93070cba CP |
82 | ######################################## |
83 | ## <summary> | |
84 | ## Do not audit attempts to write the kerberos | |
85 | ## configuration file (/etc/krb5.conf). | |
86 | ## </summary> | |
87 | ## <param name="domain"> | |
885b83ec | 88 | ## <summary> |
93070cba | 89 | ## Domain to not audit. |
885b83ec | 90 | ## </summary> |
93070cba CP |
91 | ## </param> |
92 | # | |
93 | interface(`kerberos_dontaudit_write_config',` | |
94 | gen_require(` | |
95 | type krb5_conf_t; | |
96 | ') | |
97 | ||
98 | dontaudit $1 krb5_conf_t:file write; | |
99 | ') | |
100 | ||
57a96cbd CP |
101 | ######################################## |
102 | ## <summary> | |
103 | ## Read and write the kerberos configuration file (/etc/krb5.conf). | |
104 | ## </summary> | |
105 | ## <param name="domain"> | |
885b83ec | 106 | ## <summary> |
57a96cbd | 107 | ## Domain allowed access. |
885b83ec | 108 | ## </summary> |
57a96cbd CP |
109 | ## </param> |
110 | # | |
111 | interface(`kerberos_rw_config',` | |
112 | gen_require(` | |
113 | type krb5_conf_t; | |
57a96cbd CP |
114 | ') |
115 | ||
116 | files_search_etc($1) | |
117 | allow $1 krb5_conf_t:file rw_file_perms; | |
118 | ') | |
4fd5201a CP |
119 | |
120 | ######################################## | |
121 | ## <summary> | |
122 | ## Read the kerberos key table. | |
123 | ## </summary> | |
124 | ## <param name="domain"> | |
885b83ec | 125 | ## <summary> |
4fd5201a | 126 | ## Domain allowed access. |
885b83ec | 127 | ## </summary> |
4fd5201a CP |
128 | ## </param> |
129 | # | |
130 | interface(`kerberos_read_keytab',` | |
131 | gen_require(` | |
132 | type krb5_keytab_t; | |
133 | ') | |
134 | ||
135 | files_search_etc($1) | |
136 | allow $1 krb5_keytab_t:file r_file_perms; | |
137 | ') |