diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if index 0c7f12f..f9691bd 100644 --- a/policy/modules/services/kerberos.if +++ b/policy/modules/services/kerberos.if @@ -74,7 +74,7 @@ interface(`kerberos_use',` ') files_search_etc($1) - allow $1 krb5_conf_t:file read_file_perms; + read_files_pattern($1, krb5_conf_t, krb5_conf_t) dontaudit $1 krb5_conf_t:file write; dontaudit $1 krb5kdc_conf_t:dir list_dir_perms; dontaudit $1 krb5kdc_conf_t:file rw_file_perms; @@ -84,6 +84,10 @@ interface(`kerberos_use',` selinux_dontaudit_validate_context($1) seutil_dontaudit_read_file_contexts($1) + optional_policy(` + sssd_read_public_files($1) + ') + tunable_policy(`allow_kerberos',` allow $1 self:tcp_socket create_socket_perms; allow $1 self:udp_socket create_socket_perms; diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te index c7a148c..55b52f6 100644 --- a/policy/modules/services/kerberos.te +++ b/policy/modules/services/kerberos.te @@ -112,6 +112,7 @@ files_pid_filetrans(kadmind_t, kadmind_var_run_t, file) kernel_read_kernel_sysctls(kadmind_t) kernel_list_proc(kadmind_t) +kernel_read_network_state(kadmind_t) kernel_read_proc_symlinks(kadmind_t) kernel_read_system_state(kadmind_t) @@ -283,7 +284,7 @@ allow kpropd_t self:fifo_file rw_file_perms; allow kpropd_t self:unix_stream_socket create_stream_socket_perms; allow kpropd_t self:tcp_socket create_stream_socket_perms; -allow kpropd_t krb5_host_rcache_t:file rw_file_perms; +allow kpropd_t krb5_host_rcache_t:file manage_file_perms; allow kpropd_t krb5_keytab_t:file read_file_perms;