#DESC Kerberos5 - MIT Kerberos5

# supports krb5kdc and kadmind daemons

# kinit, kdestroy, klist clients

# ksu support not complete

#

# includes rules for OpenSSH daemon compiled with both

# kerberos5 and SELinux support

#

# Not supported : telnetd, ftpd, kprop/kpropd daemons

#

# Author:   Kerry Thompson <kerry@crypt.gen.nz>

# Modified by Colin Walters <walters@redhat.com>

# 

#################################

#

# Rules for the krb5kdc_t,kadmind_t domains.

#

daemon_domain(krb5kdc)

daemon_domain(kadmind)

can_exec(krb5kdc_t, krb5kdc_exec_t)

can_exec(kadmind_t, kadmind_exec_t)

# types for general configuration files in /etc

type krb5_keytab_t, file_type, sysadmfile, secure_file_type;

# types for KDC configs and principal file(s)

type krb5kdc_conf_t, file_type, sysadmfile;

type krb5kdc_principal_t, file_type, sysadmfile;

# Use capabilities. Surplus capabilities may be allowed.

allow krb5kdc_t self:capability { setuid setgid net_admin net_bind_service chown fowner dac_override sys_nice };

allow kadmind_t self:capability { setuid setgid net_bind_service chown fowner dac_override sys_nice };

# krb5kdc and kadmind can use network

can_network_server( { krb5kdc_t kadmind_t } )

can_ypbind( { krb5kdc_t kadmind_t } )

# allow UDP transfer to/from any program

can_udp_send(kerberos_port_t, krb5kdc_t)

can_udp_send(krb5kdc_t, kerberos_port_t)

can_tcp_connect(kerberos_port_t, krb5kdc_t)

can_tcp_connect(kerberos_admin_port_t, kadmind_t)

# Bind to the kerberos, kerberos-adm ports.

allow krb5kdc_t kerberos_port_t:{ udp_socket tcp_socket } name_bind;

allow kadmind_t kerberos_admin_port_t:{ udp_socket tcp_socket } name_bind;

allow kadmind_t reserved_port_t:tcp_socket name_bind;

dontaudit kadmind_t reserved_port_type:tcp_socket name_bind;

#

# Rules for Kerberos5 KDC daemon

allow krb5kdc_t self:unix_dgram_socket create_socket_perms;

allow krb5kdc_t self:unix_stream_socket create_socket_perms;

allow kadmind_t  self:unix_stream_socket create_socket_perms;

allow krb5kdc_t krb5kdc_conf_t:dir search;

allow krb5kdc_t krb5kdc_conf_t:file r_file_perms;

allow krb5kdc_t krb5kdc_principal_t:file r_file_perms;

dontaudit krb5kdc_t krb5kdc_principal_t:file write;

allow krb5kdc_t locale_t:file { getattr read };

dontaudit krb5kdc_t krb5kdc_conf_t:file write;

allow { kadmind_t krb5kdc_t } etc_t:dir { getattr search };

allow { kadmind_t krb5kdc_t } etc_t:file { getattr read };

allow { kadmind_t krb5kdc_t } krb5_conf_t:file r_file_perms;

dontaudit { kadmind_t krb5kdc_t } krb5_conf_t:file write;

tmp_domain(krb5kdc)

log_domain(krb5kdc)

allow { kadmind_t krb5kdc_t } urandom_device_t:chr_file { getattr read };

allow kadmind_t random_device_t:chr_file { getattr read };

allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;

allow kadmind_t self:netlink_route_socket r_netlink_socket_perms;

allow krb5kdc_t proc_t:dir r_dir_perms;

allow krb5kdc_t proc_t:file { getattr read };

#

# Rules for Kerberos5 Kadmin daemon

allow kadmind_t self:unix_dgram_socket { connect create write };

allow kadmind_t krb5kdc_conf_t:dir search;

allow kadmind_t krb5kdc_conf_t:file r_file_perms;

allow kadmind_t krb5kdc_principal_t:file { getattr lock read write setattr };

read_locale(kadmind_t)

dontaudit kadmind_t krb5kdc_conf_t:file write;

tmp_domain(kadmind)

log_domain(kadmind)

#

# Allow user programs to talk to KDC

allow krb5kdc_t userdomain:udp_socket recvfrom;

allow userdomain krb5kdc_t:udp_socket recvfrom;

allow initrc_t krb5_conf_t:file ioctl;