--- nsaserefpolicy/policy/modules/services/kerberos.if	2007-02-26 14:17:21.000000000 -0500
+++ serefpolicy-2.5.10/policy/modules/services/kerberos.if	2007-03-22 15:06:59.000000000 -0400
@@ -94,6 +94,27 @@
 
 ########################################
 ## <summary>
+##	Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kerberos_read_kdc_config',`
+	gen_require(`
+		type krb5kdc_conf_t;
+	')
+
+	files_search_etc($1)
+	allow $1 krb5kdc_conf_t:file read_file_perms;
+
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to write the kerberos
 ##	configuration file (/etc/krb5.conf).
 ## </summary>
--- nsaserefpolicy/policy/modules/services/kerberos.te	2007-03-20 23:38:09.000000000 -0400
+++ serefpolicy-2.5.10/policy/modules/services/kerberos.te	2007-03-22 15:06:59.000000000 -0400
@@ -68,7 +68,7 @@
 dontaudit kadmind_t krb5_conf_t:file write;
 
 read_files_pattern(kadmind_t,krb5kdc_conf_t,krb5kdc_conf_t)
-dontaudit kadmind_t krb5kdc_conf_t:file write;
+dontaudit kadmind_t krb5kdc_conf_t:file { write setattr };
 
 allow kadmind_t krb5kdc_principal_t:file { getattr lock read write setattr };
 
--- nsaserefpolicy/policy/modules/services/apache.te	2007-03-20 23:38:06.000000000 -0400
+++ serefpolicy-2.5.10/policy/modules/services/apache.te	2007-03-22 15:06:59.000000000 -0400
@@ -383,6 +400,7 @@
 
 optional_policy(`
 	kerberos_use(httpd_t)
+	kerberos_read_kdc_config(httpd_t)
 ')
 
 optional_policy(`