* Apache wants to read krb5kdc.conf file
@ 2007-03-23 19:57 Daniel J Walsh
2007-04-10 17:16 ` Christopher J. PeBenito
0 siblings, 1 reply; 2+ messages in thread
From: Daniel J Walsh @ 2007-03-23 19:57 UTC (permalink / raw)
To: Christopher J. PeBenito, SE Linux
[-- Attachment #1: Type: text/plain, Size: 76 bytes --]
kadmind trys to setattr on krb5kdc file. Just a library checking access.
[-- Attachment #2: kerberos.patch --]
[-- Type: text/x-patch, Size: 1594 bytes --]
--- nsaserefpolicy/policy/modules/services/kerberos.if 2007-02-26 14:17:21.000000000 -0500
+++ serefpolicy-2.5.10/policy/modules/services/kerberos.if 2007-03-22 15:06:59.000000000 -0400
@@ -94,6 +94,27 @@
########################################
## <summary>
+## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kerberos_read_kdc_config',`
+ gen_require(`
+ type krb5kdc_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 krb5kdc_conf_t:file read_file_perms;
+
+')
+
+########################################
+## <summary>
## Do not audit attempts to write the kerberos
## configuration file (/etc/krb5.conf).
## </summary>
--- nsaserefpolicy/policy/modules/services/kerberos.te 2007-03-20 23:38:09.000000000 -0400
+++ serefpolicy-2.5.10/policy/modules/services/kerberos.te 2007-03-22 15:06:59.000000000 -0400
@@ -68,7 +68,7 @@
dontaudit kadmind_t krb5_conf_t:file write;
read_files_pattern(kadmind_t,krb5kdc_conf_t,krb5kdc_conf_t)
-dontaudit kadmind_t krb5kdc_conf_t:file write;
+dontaudit kadmind_t krb5kdc_conf_t:file { write setattr };
allow kadmind_t krb5kdc_principal_t:file { getattr lock read write setattr };
--- nsaserefpolicy/policy/modules/services/apache.te 2007-03-20 23:38:06.000000000 -0400
+++ serefpolicy-2.5.10/policy/modules/services/apache.te 2007-03-22 15:06:59.000000000 -0400
@@ -383,6 +400,7 @@
optional_policy(`
kerberos_use(httpd_t)
+ kerberos_read_kdc_config(httpd_t)
')
optional_policy(`
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Apache wants to read krb5kdc.conf file
2007-03-23 19:57 Apache wants to read krb5kdc.conf file Daniel J Walsh
@ 2007-04-10 17:16 ` Christopher J. PeBenito
0 siblings, 0 replies; 2+ messages in thread
From: Christopher J. PeBenito @ 2007-04-10 17:16 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: SE Linux
On Fri, 2007-03-23 at 15:57 -0400, Daniel J Walsh wrote:
> kadmind trys to setattr on krb5kdc file. Just a library checking
> access.
Merged.
>
>
>
>
>
>
> differences
> between files
> attachment
> (kerberos.patch),
> "kerberos.patch"
>
> --- nsaserefpolicy/policy/modules/services/kerberos.if 2007-02-26
> 14:17:21.000000000 -0500
> +++
> serefpolicy-2.5.10/policy/modules/services/kerberos.if 2007-03-22
> 15:06:59.000000000 -0400
> @@ -94,6 +94,27 @@
>
> ########################################
> ## <summary>
> +## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`kerberos_read_kdc_config',`
> + gen_require(`
> + type krb5kdc_conf_t;
> + ')
> +
> + files_search_etc($1)
> + allow $1 krb5kdc_conf_t:file read_file_perms;
> +
> +')
> +
> +########################################
> +## <summary>
> ## Do not audit attempts to write the kerberos
> ## configuration file (/etc/krb5.conf).
> ## </summary>
> --- nsaserefpolicy/policy/modules/services/kerberos.te 2007-03-20
> 23:38:09.000000000 -0400
> +++
> serefpolicy-2.5.10/policy/modules/services/kerberos.te 2007-03-22
> 15:06:59.000000000 -0400
> @@ -68,7 +68,7 @@
> dontaudit kadmind_t krb5_conf_t:file write;
>
> read_files_pattern(kadmind_t,krb5kdc_conf_t,krb5kdc_conf_t)
> -dontaudit kadmind_t krb5kdc_conf_t:file write;
> +dontaudit kadmind_t krb5kdc_conf_t:file { write setattr };
>
> allow kadmind_t krb5kdc_principal_t:file { getattr lock read write
> setattr };
>
> --- nsaserefpolicy/policy/modules/services/apache.te 2007-03-20
> 23:38:06.000000000 -0400
> +++
> serefpolicy-2.5.10/policy/modules/services/apache.te 2007-03-22
> 15:06:59.000000000 -0400
> @@ -383,6 +400,7 @@
>
> optional_policy(`
> kerberos_use(httpd_t)
> + kerberos_read_kdc_config(httpd_t)
> ')
>
> optional_policy(`
>
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2007-04-10 17:15 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-03-23 19:57 Apache wants to read krb5kdc.conf file Daniel J Walsh
2007-04-10 17:16 ` Christopher J. PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.