diff --git a/refpolicy/policy/modules/services/inetd.te b/refpolicy/policy/modules/services/inetd.te index 97e792d..12d6625 100644 --- a/refpolicy/policy/modules/services/inetd.te +++ b/refpolicy/policy/modules/services/inetd.te @@ -169,13 +169,11 @@ allow inetd_child_t self:fifo_file rw_file_perms; allow inetd_child_t self:tcp_socket { listen accept connected_socket_perms }; # for identd -# cjp: this should probably only be inetd_child rules? allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow inetd_child_t self:capability { setuid setgid }; allow inetd_child_t self:dir search; allow inetd_child_t self:{ lnk_file file } { getattr read }; #allow inetd_child_t home_root_t:dir search; -#can_kerberos(inetd_child_t) allow inetd_child_t inetd_child_tmp_t:dir create_dir_perms; allow inetd_child_t inetd_child_tmp_t:file create_file_perms; @@ -214,6 +212,10 @@ tunable_policy(`run_ssh_inetd',` corenet_tcp_bind_ssh_port(inetd_t) ') +optional_policy(`kerberos.te',` + kerberos_use(inetd_child_t) +') + optional_policy(`nis.te',` nis_use_ypbind(inetd_child_t) ') diff --git a/refpolicy/policy/modules/services/kerberos.if b/refpolicy/policy/modules/services/kerberos.if index 23839ca..a2a76fe 100644 --- a/refpolicy/policy/modules/services/kerberos.if +++ b/refpolicy/policy/modules/services/kerberos.if @@ -49,10 +49,10 @@ interface(`kerberos_use',` corenet_tcp_bind_all_nodes($1) corenet_udp_bind_all_nodes($1) sysnet_read_config($1) + ') - tunable_policy(`use_dns',` - corenet_udp_sendrecv_dns_port($1) - ') + tunable_policy(`allow_kerberos && use_dns',` + corenet_udp_sendrecv_dns_port($1) ') files_search_etc($1) diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if index 2635c89..09bd7fb 100644 --- a/refpolicy/policy/modules/services/ssh.if +++ b/refpolicy/policy/modules/services/ssh.if @@ -148,6 +148,10 @@ template(`ssh_per_userdomain_template',` corenet_tcp_bind_ssh_port($1_ssh_t) ') + optional_policy(`kerberos.te',` + kerberos_use($1_ssh_t) + ') + optional_policy(`nis.te',` nis_use_ypbind($1_ssh_t) ') @@ -170,8 +174,6 @@ template(`ssh_per_userdomain_template',` allow $1_ssh_t var_run_t:dir r_dir_perms; allow $1_ssh_t var_run_t:{ file lnk_file } r_file_perms; - can_kerberos($1_ssh_t) - allow $1_ssh_t $1_tmp_t:dir r_dir_perms; # Access the users .ssh directory. diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index 91436bd..85c18f7 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -67,7 +67,6 @@ template(`authlogin_per_userdomain_template',` seutil_read_config($1_chkpwd_t) - #can_kerberos($1_chkpwd_t) #can_ldap($1_chkpwd_t) # Transition from the user domain to this domain. @@ -96,6 +95,10 @@ template(`authlogin_per_userdomain_template',` sysnet_read_config($1_chkpwd_t) ') + optional_policy(`kerberos.te',` + kerberos_use($1_chkpwd_t) + ') + optional_policy(`nis.te',` nis_use_ypbind($1_chkpwd_t) ') @@ -104,7 +107,7 @@ template(`authlogin_per_userdomain_template',` seutil_use_newrole_fd($1_chkpwd_t) ') -') dnl end authlogin_per_userdomain_template +') ######################################## ## @@ -188,7 +191,10 @@ interface(`auth_domtrans_chk_passwd',` sysnet_read_config($1) ') - #can_kerberos($1) + optional_policy(`kerberos.te',` + kerberos_use($1) + ') + #can_ldap($1) optional_policy(`nis.te',` diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index eb4461f..f775741 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -270,12 +270,15 @@ tunable_policy(`use_dns',` sysnet_read_config(system_chkpwd_t) ') +optional_policy(`kerberos.te',` + kerberos_use(system_chkpwd_t) +') + optional_policy(`nis.te',` nis_use_ypbind(system_chkpwd_t) ') ifdef(`TODO',` -can_kerberos(system_chkpwd_t) can_ldap(system_chkpwd_t) ') dnl end TODO diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index ab32337..70f88b3 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -343,6 +343,10 @@ optional_policy(`hotplug.te',` modutils_read_mods_deps(initrc_t) ') +optional_policy(`kerberos.te',` + kerberos_use(initrc_t) +') + optional_policy(`lvm.te',` #allow initrc_t lvm_control_t:chr_file unlink; @@ -399,11 +403,6 @@ allow initrc_t { file_t default_t }:dir { read search getattr mounton }; # Set device ownerships/modes. allow initrc_t xconsole_device_t:fifo_file setattr; -# for lsof in shutdown scripts -can_kerberos(initrc_t) -dontaudit initrc_t krb5_conf_t:file write; -allow initrc_t krb5_conf_t:file r_file_perms; - # # These rules are here to allow init scripts to su # diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 655b608..ae52c22 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -512,6 +512,10 @@ template(`unpriv_user_template', ` corenet_tcp_bind_generic_port($1_t) ') + optional_policy(`kerberos.te',` + kerberos_use($1_t) + ') + # for running depmod as part of the kernel packaging process optional_policy(`modutils.te',` modutils_read_module_conf($1_t) @@ -532,8 +536,6 @@ template(`unpriv_user_template', ` dontaudit $1_t boot_t:lnk_file read; dontaudit $1_t boot_t:file read; - can_kerberos($1_t) - # do not audit read on disk devices dontaudit $1_t { removable_device_t fixed_disk_device_t }:blk_file read;