## MIT Kerberos admin and KDC ## ##

## This policy supports: ##

##

## Servers: ##

##

##

## Clients: ##

##

##
######################################## ## ## Execute kadmind in the current domain ## ## ## ## Domain allowed access. ## ## # interface(`kerberos_exec_kadmind',` gen_require(` type kadmind_exec_t; ') can_exec($1, kadmind_exec_t) ') ######################################## ## ## Execute a domain transition to run kpropd. ## ## ## ## Domain allowed to transition. ## ## # interface(`kerberos_domtrans_kpropd',` gen_require(` type kpropd_t, kpropd_exec_t; ') domtrans_pattern($1, kpropd_exec_t, kpropd_t) ') ######################################## ## ## Use kerberos services ## ## ## ## Domain allowed access. ## ## # interface(`kerberos_use',` gen_require(` type krb5_conf_t, krb5kdc_conf_t; type krb5_host_rcache_t; ') files_search_etc($1) read_files_pattern($1, krb5_conf_t, krb5_conf_t) list_dirs_pattern($1, krb5_conf_t, krb5_conf_t) dontaudit $1 krb5_conf_t:file write; dontaudit $1 krb5kdc_conf_t:dir list_dir_perms; dontaudit $1 krb5kdc_conf_t:file rw_file_perms; #kerberos libraries are attempting to set the correct file context dontaudit $1 self:process setfscreate; selinux_dontaudit_validate_context($1) seutil_read_file_contexts($1) tunable_policy(`kerberos_enabled',` allow $1 self:tcp_socket create_socket_perms; allow $1 self:udp_socket create_socket_perms; corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) corenet_udp_sendrecv_generic_node($1) corenet_tcp_sendrecv_kerberos_port($1) corenet_udp_sendrecv_kerberos_port($1) corenet_tcp_bind_generic_node($1) corenet_udp_bind_generic_node($1) corenet_tcp_connect_kerberos_port($1) corenet_tcp_connect_ocsp_port($1) corenet_sendrecv_kerberos_client_packets($1) corenet_sendrecv_ocsp_client_packets($1) allow $1 krb5_host_rcache_t:dir search_dir_perms; allow $1 krb5_host_rcache_t:file getattr_file_perms; ') optional_policy(` tunable_policy(`kerberos_enabled',` pcscd_stream_connect($1) ') ') optional_policy(` sssd_read_public_files($1) ') # Allow to use kerberos KCM daemon (sssd-kcm) optional_policy(` sssd_run_stream_connect($1) ') ') ######################################## ## ## Read the kerberos configuration file (/etc/krb5.conf). ## ## ## ## Domain allowed access. ## ## ## # interface(`kerberos_read_config',` gen_require(` type krb5_conf_t, krb5_home_t; ') files_search_etc($1) allow $1 krb5_conf_t:file read_file_perms; allow $1 krb5_home_t:file read_file_perms; ') ######################################## ## ## Do not audit attempts to write the kerberos ## configuration file (/etc/krb5.conf). ## ## ## ## Domain to not audit. ## ## # interface(`kerberos_dontaudit_write_config',` gen_require(` type krb5_conf_t; ') dontaudit $1 krb5_conf_t:file write; ') ######################################## ## ## Read and write the kerberos configuration file (/etc/krb5.conf). ## ## ## ## Domain allowed access. ## ## ## # interface(`kerberos_rw_config',` gen_require(` type krb5_conf_t; ') files_search_etc($1) allow $1 krb5_conf_t:file rw_file_perms; ') ######################################## ## ## Read the kerberos key table. ## ## ## ## Domain allowed access. ## ## ## # interface(`kerberos_read_keytab',` gen_require(` type krb5_keytab_t; ') files_search_etc($1) allow $1 krb5_keytab_t:dir search_dir_perms; allow $1 krb5_keytab_t:file read_file_perms; ') ######################################## ## ## Read/Write the kerberos key table. ## ## ## ## Domain allowed access. ## ## # interface(`kerberos_rw_keytab',` gen_require(` type krb5_keytab_t; ') files_search_etc($1) allow $1 krb5_keytab_t:dir search_dir_perms; allow $1 krb5_keytab_t:file rw_file_perms; ') ######################################## ## ## Create keytab file in /etc ## ## ## ## Domain allowed access. ## ## ## ## ## The name of the object being created. ## ## # interface(`kerberos_etc_filetrans_keytab',` gen_require(` type krb5_keytab_t; ') allow $1 krb5_keytab_t:dir search_dir_perms; allow $1 krb5_keytab_t:file manage_file_perms; files_etc_filetrans($1, krb5_keytab_t, file, $2) ') ######################################## ## ## Create a derived type for kerberos keytab ## ## ## ## The prefix to be used for deriving type names. ## ## ## ## ## Domain allowed access. ## ## # template(`kerberos_keytab_template',` refpolicywarn(`$0($*) has been deprecated.') kerberos_read_keytab($2) kerberos_use($2) ') ######################################## ## ## Read the kerberos kdc configuration file (/etc/krb5kdc.conf). ## ## ## ## Domain allowed access. ## ## ## # interface(`kerberos_read_kdc_config',` gen_require(` type krb5kdc_conf_t; ') files_search_etc($1) read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t) ') ######################################## ## ## Manage the kerberos kdc configuration file (/etc/krb5kdc.conf). ## ## ## ## Domain allowed access. ## ## ## # interface(`kerberos_manage_kdc_config',` gen_require(` type krb5kdc_conf_t; ') files_search_etc($1) manage_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t) manage_dirs_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t) ') ######################################## ## ## Read the kerberos kdc configuration file (/etc/krb5kdc.conf). ## ## ## ## Domain allowed access. ## ## # interface(`kerberos_read_host_rcache',` gen_require(` type krb5_host_rcache_t; ') read_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t) ') ######################################## ## ## Read/Write the kerberos host rcache files. ## ## ## ## Domain allowed access. ## ## # interface(`kerberos_rw_host_rcache',` gen_require(` type krb5_host_rcache_t; ') allow $1 krb5_host_rcache_t:dir search_dir_perms; allow $1 krb5_host_rcache_t:file rw_file_perms; ') ######################################## ## ## Read the kerberos kdc configuration file (/etc/krb5kdc.conf). ## ## ## ## Domain allowed access. ## ## ## # interface(`kerberos_manage_host_rcache',` gen_require(` type krb5_host_rcache_t; ') # creates files as system_u no matter what the selinux user # cjp: should be in the below tunable but typeattribute # does not work in conditionals domain_obj_id_change_exemption($1) tunable_policy(`kerberos_enabled',` allow $1 self:process setfscreate; selinux_validate_context($1) seutil_read_file_contexts($1) files_rw_generic_tmp_dir($1) manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t) files_search_tmp($1) ') ') ######################################## ## ## All of the rules required to administrate ## an kerberos environment ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed to manage the kerberos domain. ## ## ## # interface(`kerberos_admin',` gen_require(` type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t; type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t; type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t; type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t; type krb5kdc_var_run_t, krb5_host_rcache_t; ') allow $1 kadmind_t:process signal_perms; ps_process_pattern($1, kadmind_t) tunable_policy(`deny_ptrace',`',` allow $1 kadmind_t:process ptrace; allow $1 krb5kdc_t:process ptrace; allow $1 kpropd_t:process ptrace; ') allow $1 krb5kdc_t:process signal_perms; ps_process_pattern($1, krb5kdc_t) allow $1 kpropd_t:process signal_perms; ps_process_pattern($1, kpropd_t) init_labeled_script_domtrans($1, kerberos_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 kerberos_initrc_exec_t system_r; allow $2 system_r; logging_list_logs($1) admin_pattern($1, kadmind_log_t) files_list_tmp($1) admin_pattern($1, kadmind_tmp_t) files_list_pids($1) admin_pattern($1, kadmind_var_run_t) admin_pattern($1, krb5_conf_t) admin_pattern($1, krb5_host_rcache_t) admin_pattern($1, krb5_keytab_t) admin_pattern($1, krb5kdc_principal_t) admin_pattern($1, krb5kdc_tmp_t) admin_pattern($1, krb5kdc_var_run_t) ') ######################################## ## ## Type transition files created in /tmp ## to the krb5_host_rcache type. ## ## ## ## Domain allowed access. ## ## ## ## ## The name of the object being created. ## ## # interface(`kerberos_tmp_filetrans_host_rcache',` gen_require(` type krb5_host_rcache_t; ') manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t) files_tmp_filetrans($1, krb5_host_rcache_t, file, $2) ') ######################################## ## ## Type transition files created in /tmp ## to the kadmind_tmp type. ## ## ## ## Domain allowed access. ## ## ## ## ## The name of the object being created. ## ## # interface(`kerberos_tmp_filetrans_kadmin',` gen_require(` type kadmind_tmp_t; ') manage_files_pattern($1, kadmind_tmp_t, kadmind_tmp_t) files_tmp_filetrans($1, kadmind_tmp_t, file, $2) ') ######################################## ## ## read kerberos homedir content (.k5login) ## ## ## ## Domain allowed access. ## ## # interface(`kerberos_read_home_content',` gen_require(` type krb5_home_t; ') userdom_search_user_home_dirs($1) read_files_pattern($1, krb5_home_t, krb5_home_t) ') ######################################## ## ## Manage the kerberos kdc /var/lib files ## and directories. ## ## ## ## Domain allowed access. ## ## ## # interface(`kerberos_manage_kdc_var_lib',` gen_require(` type krb5kdc_var_lib_t; ') files_search_etc($1) manage_files_pattern($1, krb5kdc_var_lib_t, krb5kdc_var_lib_t) manage_dirs_pattern($1, krb5kdc_var_lib_t, krb5kdc_var_lib_t) ') ######################################## ## ## create kerberos content in the in the /root directory ## with an correct label. ## ## ## ## Domain allowed access. ## ## # interface(`kerberos_filetrans_admin_home_content',` gen_require(` type krb5_home_t; ') userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5identity") userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5login") userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5users") ') ######################################## ## ## Transition to kerberos named content ## ## ## ## Domain allowed access. ## ## # interface(`kerberos_filetrans_home_content',` gen_require(` type krb5_home_t; ') userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5identity") userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5login") userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5users") ') ######################################## ## ## Transition to kerberos named content ## ## ## ## Domain allowed access. ## ## # interface(`kerberos_filetrans_named_content',` gen_require(` type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t; type krb5kdc_principal_t; ') files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf") filetrans_pattern($1, krb5kdc_conf_t, krb5_keytab_t, file, "kadm5.keytab") filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal") filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal0") filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1") #filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1") kerberos_etc_filetrans_keytab($1, "krb5.keytab") kerberos_filetrans_admin_home_content($1) kerberos_tmp_filetrans_host_rcache($1, "DNS_25") kerberos_tmp_filetrans_host_rcache($1, "host_0") kerberos_tmp_filetrans_host_rcache($1, "HTTP_23") kerberos_tmp_filetrans_host_rcache($1, "HTTP_48") kerberos_tmp_filetrans_host_rcache($1, "imap_0") kerberos_tmp_filetrans_host_rcache($1, "krb5_0.rcache2") kerberos_tmp_filetrans_host_rcache($1, "nfs_0") kerberos_tmp_filetrans_host_rcache($1, "ldapmap1_0") kerberos_tmp_filetrans_host_rcache($1, "ldap_487") kerberos_tmp_filetrans_host_rcache($1, "ldap_55") ') ######################################## ## ## Write to temporary kadmind files. ## ## ## ## Domain allowed access. ## ## # interface(`kerberos_write_kadmind_tmp_files',` gen_require(` type kadmind_tmp_t; ') files_search_tmp($1) allow $1 kadmind_tmp_t:file write_file_perms; ')