[DSE-User] SELinux on Wheezy: kerberos
Arno Schuring
aelschuring at hotmail.com
Thu Feb 9 22:45:21 UTC 2012
Another small diff: if the Kerberos database is stored in ldap and a
kdc happens to be running on the ldap server, allow it to connect via
the /run/slapd/slapi socket.
Regards,
Arno
-8<--
diff --git a/policy/modules/services/kerberos.fc b/policy/modules/services/kerberos.fc
index 3525d24..98b842a 100644
--- a/policy/modules/services/kerberos.fc
+++ b/policy/modules/services/kerberos.fc
@@ -12,6 +12,8 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
/etc/rc\.d/init\.d/kprop -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
+/etc/init\.d/krb5-kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
+/etc/init\.d/krb5-admin-server -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/usr/(local/)?(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
/usr/(local/)?(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te
index 8edc29b..5abaaee 100644
--- a/policy/modules/services/kerberos.te
+++ b/policy/modules/services/kerberos.te
@@ -1,4 +1,4 @@
-policy_module(kerberos, 1.11.0)
+policy_module(kerberos, 1.11.2)
########################################
#
@@ -323,3 +323,7 @@ seutil_read_file_contexts(kpropd_t)
sysnet_dns_name_resolve(kpropd_t)
kerberos_use(kpropd_t)
+
+optional_policy(`
+ ldap_stream_connect(krb5kdc_t)
+')
More information about the Selinux-user
mailing list