Chris PeBenito 17de1b
## <summary>MIT Kerberos admin and KDC</summary>
Chris PeBenito 17de1b
## <desc>
Chris PeBenito 17de1b
##	

Chris PeBenito 17de1b
##	This policy supports:
Chris PeBenito 17de1b
##	

Chris PeBenito 17de1b
##	

Chris PeBenito 17de1b
##	Servers:
Chris PeBenito 17de1b
##	
    Chris PeBenito 17de1b
    ##		
  • kadmind
  • Chris PeBenito 17de1b
    ##		
  • krb5kdc
  • Chris PeBenito 17de1b
    ##	
    Chris PeBenito 17de1b
    ##	

    Chris PeBenito 17de1b
    ##	

    Chris PeBenito 17de1b
    ##	Clients:
    Chris PeBenito 17de1b
    ##	
      Chris PeBenito 17de1b
      ##		
    • kinit
    • Chris PeBenito 17de1b
      ##		
    • kdestroy
    • Chris PeBenito 17de1b
      ##		
    • klist
    • Chris PeBenito 17de1b
      ##		
    • ksu (incomplete)
    • Chris PeBenito 17de1b
      ##	
      Chris PeBenito 17de1b
      ##	

      Chris PeBenito 17de1b
      ## </desc>
      Chris PeBenito 17de1b
      Chris PeBenito 17de1b
      ########################################
      Chris PeBenito 17de1b
      ## <summary>
      Chris PeBenito 17de1b
      ##	Use kerberos services
      Chris PeBenito 17de1b
      ## </summary>
      Chris PeBenito 17de1b
      ## <param name="domain">
      Chris PeBenito 17de1b
      ##	<summary>
      Chris PeBenito 17de1b
      ##	Domain allowed access.
      Chris PeBenito 17de1b
      ##	</summary>
      Chris PeBenito 17de1b
      ## </param>
      Chris PeBenito 17de1b
      #
      Chris PeBenito 17de1b
      interface(`kerberos_use',`
      Chris PeBenito 17de1b
      	gen_require(`
      Chris PeBenito 17de1b
      		type krb5_conf_t;
      Chris PeBenito 8708d9
      		type krb5kdc_conf_t;
      Chris PeBenito 17de1b
      	')
      Chris PeBenito 17de1b
      Chris PeBenito 17de1b
      	files_search_etc($1)
      Chris PeBenito 17de1b
      	allow $1 krb5_conf_t:file { getattr read };
      Chris PeBenito 17de1b
      	dontaudit $1 krb5_conf_t:file write;
      Chris PeBenito 6b19be
      	dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
      Chris PeBenito 5b0647
      	dontaudit $1 krb5kdc_conf_t:file rw_file_perms;
      Chris PeBenito 17de1b
      Chris PeBenito 17de1b
      	tunable_policy(`allow_kerberos',`
      Chris PeBenito 17de1b
      		allow $1 self:tcp_socket create_socket_perms;
      Chris PeBenito 17de1b
      		allow $1 self:udp_socket create_socket_perms;
      Chris PeBenito 17de1b
      Chris PeBenito 190066
      		corenet_all_recvfrom_unlabeled($1)
      Chris PeBenito 190066
      		corenet_all_recvfrom_netlabel($1)
      Chris PeBenito 17de1b
      		corenet_tcp_sendrecv_all_if($1)
      Chris PeBenito 17de1b
      		corenet_udp_sendrecv_all_if($1)
      Chris PeBenito 17de1b
      		corenet_tcp_sendrecv_all_nodes($1)
      Chris PeBenito 17de1b
      		corenet_udp_sendrecv_all_nodes($1)
      Chris PeBenito 17de1b
      		corenet_tcp_sendrecv_kerberos_port($1)
      Chris PeBenito 17de1b
      		corenet_udp_sendrecv_kerberos_port($1)
      Chris PeBenito 17de1b
      		corenet_tcp_bind_all_nodes($1)
      Chris PeBenito 17de1b
      		corenet_udp_bind_all_nodes($1)
      Chris PeBenito 17de1b
      		corenet_tcp_connect_kerberos_port($1)
      Chris PeBenito d6d16b
      		corenet_tcp_connect_ocsp_port($1)
      Chris PeBenito 17de1b
      		corenet_sendrecv_kerberos_client_packets($1)
      Chris PeBenito d6d16b
      		corenet_sendrecv_ocsp_client_packets($1)
      Chris PeBenito 17de1b
      Chris PeBenito 17de1b
      		sysnet_read_config($1)
      Chris PeBenito 17de1b
      		sysnet_dns_name_resolve($1)
      Chris PeBenito 17de1b
      	')
      Chris PeBenito 6b19be
      Chris PeBenito 6b19be
      	optional_policy(`
      Chris PeBenito 6b19be
      		tunable_policy(`allow_kerberos',`
      Chris PeBenito 6b19be
      			pcscd_stream_connect($1)
      Chris PeBenito 6b19be
      		')
      Chris PeBenito 6b19be
      	')
      Chris PeBenito 17de1b
      ')
      Chris PeBenito 17de1b
      Chris PeBenito 17de1b
      ########################################
      Chris PeBenito 17de1b
      ## <summary>
      Chris PeBenito 17de1b
      ##	Read the kerberos configuration file (/etc/krb5.conf).
      Chris PeBenito 17de1b
      ## </summary>
      Chris PeBenito 17de1b
      ## <param name="domain">
      Chris PeBenito 17de1b
      ##	<summary>
      Chris PeBenito 17de1b
      ##	Domain allowed access.
      Chris PeBenito 17de1b
      ##	</summary>
      Chris PeBenito 17de1b
      ## </param>
      Chris PeBenito bbcd3c
      ## <rolecap/>
      Chris PeBenito 17de1b
      #
      Chris PeBenito 17de1b
      interface(`kerberos_read_config',`
      Chris PeBenito 17de1b
      	gen_require(`
      Chris PeBenito 17de1b
      		type krb5_conf_t;
      Chris PeBenito 17de1b
      	')
      Chris PeBenito 17de1b
      Chris PeBenito 17de1b
      	files_search_etc($1)
      Chris PeBenito c0868a
      	allow $1 krb5_conf_t:file read_file_perms;
      Chris PeBenito 17de1b
      ')
      Chris PeBenito 17de1b
      Chris PeBenito 17de1b
      ########################################
      Chris PeBenito 17de1b
      ## <summary>
      Chris PeBenito 17de1b
      ##	Do not audit attempts to write the kerberos
      Chris PeBenito 17de1b
      ##	configuration file (/etc/krb5.conf).
      Chris PeBenito 17de1b
      ## </summary>
      Chris PeBenito 17de1b
      ## <param name="domain">
      Chris PeBenito 17de1b
      ##	<summary>
      Chris PeBenito 17de1b
      ##	Domain to not audit.
      Chris PeBenito 17de1b
      ##	</summary>
      Chris PeBenito 17de1b
      ## </param>
      Chris PeBenito 17de1b
      #
      Chris PeBenito 17de1b
      interface(`kerberos_dontaudit_write_config',`
      Chris PeBenito 17de1b
      	gen_require(`
      Chris PeBenito 17de1b
      		type krb5_conf_t;
      Chris PeBenito 17de1b
      	')
      Chris PeBenito 17de1b
      Chris PeBenito 17de1b
      	dontaudit $1 krb5_conf_t:file write;
      Chris PeBenito 17de1b
      ')
      Chris PeBenito 17de1b
      Chris PeBenito 17de1b
      ########################################
      Chris PeBenito 17de1b
      ## <summary>
      Chris PeBenito 17de1b
      ##	Read and write the kerberos configuration file (/etc/krb5.conf).
      Chris PeBenito 17de1b
      ## </summary>
      Chris PeBenito 17de1b
      ## <param name="domain">
      Chris PeBenito 17de1b
      ##	<summary>
      Chris PeBenito 17de1b
      ##	Domain allowed access.
      Chris PeBenito 17de1b
      ##	</summary>
      Chris PeBenito 17de1b
      ## </param>
      Chris PeBenito bbcd3c
      ## <rolecap/>
      Chris PeBenito 17de1b
      #
      Chris PeBenito 17de1b
      interface(`kerberos_rw_config',`
      Chris PeBenito 17de1b
      	gen_require(`
      Chris PeBenito 17de1b
      		type krb5_conf_t;
      Chris PeBenito 17de1b
      	')
      Chris PeBenito 17de1b
      Chris PeBenito 17de1b
      	files_search_etc($1)
      Chris PeBenito 17de1b
      	allow $1 krb5_conf_t:file rw_file_perms;
      Chris PeBenito 17de1b
      ')
      Chris PeBenito 17de1b
      Chris PeBenito 17de1b
      ########################################
      Chris PeBenito 17de1b
      ## <summary>
      Chris PeBenito 17de1b
      ##	Read the kerberos key table.
      Chris PeBenito 17de1b
      ## </summary>
      Chris PeBenito 17de1b
      ## <param name="domain">
      Chris PeBenito 17de1b
      ##	<summary>
      Chris PeBenito 17de1b
      ##	Domain allowed access.
      Chris PeBenito 17de1b
      ##	</summary>
      Chris PeBenito 17de1b
      ## </param>
      Chris PeBenito bbcd3c
      ## <rolecap/>
      Chris PeBenito 17de1b
      #
      Chris PeBenito 17de1b
      interface(`kerberos_read_keytab',`
      Chris PeBenito 17de1b
      	gen_require(`
      Chris PeBenito 17de1b
      		type krb5_keytab_t;
      Chris PeBenito 17de1b
      	')
      Chris PeBenito 17de1b
      Chris PeBenito 17de1b
      	files_search_etc($1)
      Chris PeBenito c0868a
      	allow $1 krb5_keytab_t:file read_file_perms;
      Chris PeBenito 17de1b
      ')
      Chris PeBenito ebc1e8
      Chris PeBenito ebc1e8
      ########################################
      Chris PeBenito ebc1e8
      ## <summary>
      Chris PeBenito ebc1e8
      ##	Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
      Chris PeBenito ebc1e8
      ## </summary>
      Chris PeBenito ebc1e8
      ## <param name="domain">
      Chris PeBenito ebc1e8
      ##	<summary>
      Chris PeBenito ebc1e8
      ##	Domain allowed access.
      Chris PeBenito ebc1e8
      ##	</summary>
      Chris PeBenito ebc1e8
      ## </param>
      Chris PeBenito ebc1e8
      ## <rolecap/>
      Chris PeBenito ebc1e8
      #
      Chris PeBenito ebc1e8
      interface(`kerberos_read_kdc_config',`
      Chris PeBenito ebc1e8
      	gen_require(`
      Chris PeBenito ebc1e8
      		type krb5kdc_conf_t;
      Chris PeBenito ebc1e8
      	')
      Chris PeBenito ebc1e8
      Chris PeBenito ebc1e8
      	files_search_etc($1)
      Chris PeBenito ebc1e8
      	allow $1 krb5kdc_conf_t:file read_file_perms;
      Chris PeBenito ebc1e8
      Chris PeBenito ebc1e8
      ')