diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te index e5d40f4..736ee13 100644 --- a/policy/modules/services/kerberos.te +++ b/policy/modules/services/kerberos.te @@ -1,5 +1,5 @@ -policy_module(kerberos, 1.10.0) +policy_module(kerberos, 1.10.1) ######################################## # @@ -277,6 +277,8 @@ optional_policy(` # allow kpropd_t self:capability net_bind_service; +allow kpropd_t self:process setfscreate; + allow kpropd_t self:fifo_file rw_file_perms; allow kpropd_t self:unix_stream_socket create_stream_socket_perms; allow kpropd_t self:tcp_socket create_stream_socket_perms; @@ -285,10 +287,17 @@ allow kpropd_t krb5_host_rcache_t:file rw_file_perms; allow kpropd_t krb5_keytab_t:file read_file_perms; +read_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_conf_t) + manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t) +filetrans_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t, file) manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_principal_t) +manage_dirs_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t) +manage_files_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t) +files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir }) + corecmd_exec_bin(kpropd_t) corenet_all_recvfrom_unlabeled(kpropd_t) @@ -303,10 +312,14 @@ dev_read_urand(kpropd_t) files_read_etc_files(kpropd_t) files_search_tmp(kpropd_t) +selinux_validate_context(kpropd_t) + logging_send_syslog_msg(kpropd_t) miscfiles_read_localization(kpropd_t) +seutil_read_file_contexts(kpropd_t) + sysnet_dns_name_resolve(kpropd_t) kerberos_use(kpropd_t)