policy/modules/services/kerberos.te

   1 policy_module(kerberos, 1.11.0)
   2
   3 ########################################
   4 #
   5 # Declarations
   6 #
   7
   8 ## <desc>
   9 ## <p>
  10 ## Allow confined applications to run with kerberos.
  11 ## </p>
  12 ## </desc>
  13 gen_tunable(allow_kerberos, false)
  14
  15 type kadmind_t;
  16 type kadmind_exec_t;
  17 init_daemon_domain(kadmind_t, kadmind_exec_t)
  18 domain_obj_id_change_exemption(kadmind_t)
  19
  20 type kadmind_log_t;
  21 logging_log_file(kadmind_log_t)
  22
  23 type kadmind_tmp_t;
  24 files_tmp_file(kadmind_tmp_t)
  25
  26 type kadmind_var_run_t;
  27 files_pid_file(kadmind_var_run_t)
  28
  29 type kerberos_initrc_exec_t;
  30 init_script_file(kerberos_initrc_exec_t)
  31
  32 type kpropd_t;
  33 type kpropd_exec_t;
  34 init_daemon_domain(kpropd_t, kpropd_exec_t)
  35 domain_obj_id_change_exemption(kpropd_t)
  36
  37 type krb5_conf_t;
  38 files_type(krb5_conf_t)
  39
  40 type krb5_home_t;
  41 userdom_user_home_content(krb5_home_t)
  42
  43 type krb5_host_rcache_t;
  44 files_tmp_file(krb5_host_rcache_t)
  45
  46 # types for general configuration files in /etc
  47 type krb5_keytab_t;
  48 files_security_file(krb5_keytab_t)
  49
  50 # types for KDC configs and principal file(s)
  51 type krb5kdc_conf_t;
  52 files_type(krb5kdc_conf_t)
  53
  54 type krb5kdc_lock_t;
  55 files_type(krb5kdc_lock_t)
  56
  57 # types for KDC principal file(s)
  58 type krb5kdc_principal_t;
  59 files_type(krb5kdc_principal_t)
  60
  61 type krb5kdc_t;
  62 type krb5kdc_exec_t;
  63 init_daemon_domain(krb5kdc_t, krb5kdc_exec_t)
  64 domain_obj_id_change_exemption(krb5kdc_t)
  65
  66 type krb5kdc_log_t;
  67 logging_log_file(krb5kdc_log_t)
  68
  69 type krb5kdc_tmp_t;
  70 files_tmp_file(krb5kdc_tmp_t)
  71
  72 type krb5kdc_var_run_t;
  73 files_pid_file(krb5kdc_var_run_t)
  74
  75 ########################################
  76 #
  77 # kadmind local policy
  78 #
  79
  80 # Use capabilities. Surplus capabilities may be allowed.
  81 allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice };
  82 dontaudit kadmind_t self:capability sys_tty_config;
  83 allow kadmind_t self:process { setfscreate signal_perms };
  84 allow kadmind_t self:netlink_route_socket r_netlink_socket_perms;
  85 allow kadmind_t self:unix_dgram_socket { connect create write };
  86 allow kadmind_t self:tcp_socket connected_stream_socket_perms;
  87 allow kadmind_t self:udp_socket create_socket_perms;
  88
  89 allow kadmind_t kadmind_log_t:file manage_file_perms;
  90 logging_log_filetrans(kadmind_t, kadmind_log_t, file)
  91
  92 allow kadmind_t krb5_conf_t:file read_file_perms;
  93 dontaudit kadmind_t krb5_conf_t:file write;
  94
  95 read_files_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_conf_t)
  96 dontaudit kadmind_t krb5kdc_conf_t:file { write setattr };
  97
  98 allow kadmind_t krb5kdc_lock_t:file { rw_file_perms setattr };
  99
 100 allow kadmind_t krb5kdc_principal_t:file manage_file_perms;
 101 filetrans_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_principal_t, file)
 102
 103 can_exec(kadmind_t, kadmind_exec_t)
 104
 105 manage_dirs_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t)
 106 manage_files_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t)
 107 files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir })
 108
 109 manage_files_pattern(kadmind_t, kadmind_var_run_t, kadmind_var_run_t)
 110 files_pid_filetrans(kadmind_t, kadmind_var_run_t, file)
 111
 112 kernel_read_kernel_sysctls(kadmind_t)
 113 kernel_list_proc(kadmind_t)
 114 kernel_read_network_state(kadmind_t)
 115 kernel_read_proc_symlinks(kadmind_t)
 116 kernel_read_system_state(kadmind_t)
 117
 118 corenet_all_recvfrom_unlabeled(kadmind_t)
 119 corenet_all_recvfrom_netlabel(kadmind_t)
 120 corenet_tcp_sendrecv_generic_if(kadmind_t)
 121 corenet_udp_sendrecv_generic_if(kadmind_t)
 122 corenet_tcp_sendrecv_generic_node(kadmind_t)
 123 corenet_udp_sendrecv_generic_node(kadmind_t)
 124 corenet_tcp_sendrecv_all_ports(kadmind_t)
 125 corenet_udp_sendrecv_all_ports(kadmind_t)
 126 corenet_tcp_bind_generic_node(kadmind_t)
 127 corenet_udp_bind_generic_node(kadmind_t)
 128 corenet_tcp_bind_kerberos_admin_port(kadmind_t)
 129 corenet_tcp_bind_kerberos_password_port(kadmind_t)
 130 corenet_udp_bind_kerberos_admin_port(kadmind_t)
 131 corenet_udp_bind_kerberos_password_port(kadmind_t)
 132 corenet_tcp_bind_reserved_port(kadmind_t)
 133 corenet_dontaudit_tcp_bind_all_reserved_ports(kadmind_t)
 134 corenet_sendrecv_kerberos_admin_server_packets(kadmind_t)
 135 corenet_sendrecv_kerberos_password_server_packets(kadmind_t)
 136
 137 dev_read_sysfs(kadmind_t)
 138 dev_read_rand(kadmind_t)
 139 dev_read_urand(kadmind_t)
 140
 141 fs_getattr_all_fs(kadmind_t)
 142 fs_search_auto_mountpoints(kadmind_t)
 143
 144 domain_use_interactive_fds(kadmind_t)
 145
 146 files_read_etc_files(kadmind_t)
 147 files_read_usr_symlinks(kadmind_t)
 148 files_read_usr_files(kadmind_t)
 149 files_read_var_files(kadmind_t)
 150
 151 selinux_validate_context(kadmind_t)
 152
 153 logging_send_syslog_msg(kadmind_t)
 154
 155 miscfiles_read_generic_certs(kadmind_t)
 156 miscfiles_read_localization(kadmind_t)
 157
 158 seutil_read_file_contexts(kadmind_t)
 159
 160 sysnet_read_config(kadmind_t)
 161 sysnet_use_ldap(kadmind_t)
 162
 163 userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
 164 userdom_dontaudit_search_user_home_dirs(kadmind_t)
 165
 166 optional_policy(`
 167         nis_use_ypbind(kadmind_t)
 168 ')
 169
 170 optional_policy(`
 171         seutil_sigchld_newrole(kadmind_t)
 172 ')
 173
 174 optional_policy(`
 175         udev_read_db(kadmind_t)
 176 ')
 177
 178 ########################################
 179 #
 180 # Krb5kdc local policy
 181 #
 182
 183 # Use capabilities. Surplus capabilities may be allowed.
 184 allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
 185 dontaudit krb5kdc_t self:capability sys_tty_config;
 186 allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms };
 187 allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
 188 allow krb5kdc_t self:tcp_socket create_stream_socket_perms;
 189 allow krb5kdc_t self:udp_socket create_socket_perms;
 190 allow krb5kdc_t self:fifo_file rw_fifo_file_perms;
 191
 192 allow krb5kdc_t krb5_conf_t:file read_file_perms;
 193 dontaudit krb5kdc_t krb5_conf_t:file write;
 194
 195 can_exec(krb5kdc_t, krb5kdc_exec_t)
 196
 197 read_files_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t)
 198 dontaudit krb5kdc_t krb5kdc_conf_t:file write;
 199
 200 allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr };
 201
 202 allow krb5kdc_t krb5kdc_log_t:file manage_file_perms;
 203 logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file)
 204
 205 allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms;
 206
 207 manage_dirs_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
 208 manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
 209 files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir })
 210
 211 manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
 212 files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, file)
 213
 214 kernel_read_system_state(krb5kdc_t)
 215 kernel_read_kernel_sysctls(krb5kdc_t)
 216 kernel_list_proc(krb5kdc_t)
 217 kernel_read_proc_symlinks(krb5kdc_t)
 218 kernel_read_network_state(krb5kdc_t)
 219 kernel_search_network_sysctl(krb5kdc_t)
 220
 221 corecmd_exec_bin(krb5kdc_t)
 222
 223 corenet_all_recvfrom_unlabeled(krb5kdc_t)
 224 corenet_all_recvfrom_netlabel(krb5kdc_t)
 225 corenet_tcp_sendrecv_generic_if(krb5kdc_t)
 226 corenet_udp_sendrecv_generic_if(krb5kdc_t)
 227 corenet_tcp_sendrecv_generic_node(krb5kdc_t)
 228 corenet_udp_sendrecv_generic_node(krb5kdc_t)
 229 corenet_tcp_sendrecv_all_ports(krb5kdc_t)
 230 corenet_udp_sendrecv_all_ports(krb5kdc_t)
 231 corenet_tcp_bind_generic_node(krb5kdc_t)
 232 corenet_udp_bind_generic_node(krb5kdc_t)
 233 corenet_tcp_bind_kerberos_port(krb5kdc_t)
 234 corenet_udp_bind_kerberos_port(krb5kdc_t)
 235 corenet_tcp_connect_ocsp_port(krb5kdc_t)
 236 corenet_sendrecv_kerberos_server_packets(krb5kdc_t)
 237 corenet_sendrecv_ocsp_client_packets(krb5kdc_t)
 238
 239 dev_read_sysfs(krb5kdc_t)
 240 dev_read_urand(krb5kdc_t)
 241
 242 fs_getattr_all_fs(krb5kdc_t)
 243 fs_search_auto_mountpoints(krb5kdc_t)
 244
 245 domain_use_interactive_fds(krb5kdc_t)
 246
 247 files_read_etc_files(krb5kdc_t)
 248 files_read_usr_symlinks(krb5kdc_t)
 249 files_read_var_files(krb5kdc_t)
 250
 251 selinux_validate_context(krb5kdc_t)
 252
 253 logging_send_syslog_msg(krb5kdc_t)
 254
 255 miscfiles_read_generic_certs(krb5kdc_t)
 256 miscfiles_read_localization(krb5kdc_t)
 257
 258 seutil_read_file_contexts(krb5kdc_t)
 259
 260 sysnet_read_config(krb5kdc_t)
 261 sysnet_use_ldap(krb5kdc_t)
 262
 263 userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
 264 userdom_dontaudit_search_user_home_dirs(krb5kdc_t)
 265
 266 optional_policy(`
 267         nis_use_ypbind(krb5kdc_t)
 268 ')
 269
 270 optional_policy(`
 271         seutil_sigchld_newrole(krb5kdc_t)
 272 ')
 273
 274 optional_policy(`
 275         udev_read_db(krb5kdc_t)
 276 ')
 277
 278 ########################################
 279 #
 280 # kpropd local policy
 281 #
 282
 283 allow kpropd_t self:capability net_bind_service;
 284 allow kpropd_t self:process setfscreate;
 285
 286 allow kpropd_t self:fifo_file rw_file_perms;
 287 allow kpropd_t self:unix_stream_socket create_stream_socket_perms;
 288 allow kpropd_t self:tcp_socket create_stream_socket_perms;
 289
 290 allow kpropd_t krb5_host_rcache_t:file manage_file_perms;
 291
 292 allow kpropd_t krb5_keytab_t:file read_file_perms;
 293
 294 read_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_conf_t)
 295
 296 manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t)
 297 filetrans_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t, file)
 298
 299 manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_principal_t)
 300
 301 manage_dirs_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
 302 manage_files_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
 303 files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
 304
 305 corecmd_exec_bin(kpropd_t)
 306
 307 corenet_all_recvfrom_unlabeled(kpropd_t)
 308 corenet_tcp_sendrecv_generic_if(kpropd_t)
 309 corenet_tcp_sendrecv_generic_node(kpropd_t)
 310 corenet_tcp_sendrecv_all_ports(kpropd_t)
 311 corenet_tcp_bind_generic_node(kpropd_t)
 312 corenet_tcp_bind_kprop_port(kpropd_t)
 313
 314 dev_read_urand(kpropd_t)
 315
 316 files_read_etc_files(kpropd_t)
 317 files_search_tmp(kpropd_t)
 318
 319 selinux_validate_context(kpropd_t)
 320
 321 logging_send_syslog_msg(kpropd_t)
 322
 323 miscfiles_read_localization(kpropd_t)
 324
 325 seutil_read_file_contexts(kpropd_t)
 326
 327 sysnet_dns_name_resolve(kpropd_t)
 328
 329 kerberos_use(kpropd_t)