diff options
author | Simo Sorce <ssorce@redhat.com> | 2011-07-20 18:11:05 -0400 |
---|---|---|
committer | Simo Sorce <ssorce@redhat.com> | 2011-08-26 08:26:08 -0400 |
commit | dfa944da247f71f4ccf8a18eee30459e6c25caa5 (patch) | |
tree | a0734aaade4426e61f24e4a026b6c6f47ce30305 /selinux/ipa_kpasswd | |
parent | a60a71497bb412217922b00d0e8398bfc3e6a9db (diff) | |
download | freeipa-dfa944da247f71f4ccf8a18eee30459e6c25caa5.tar.gz freeipa-dfa944da247f71f4ccf8a18eee30459e6c25caa5.tar.xz freeipa-dfa944da247f71f4ccf8a18eee30459e6c25caa5.zip |
daemons: Remove ipa_kpasswd
Now that we have our own database we can properly enforce stricter constraints
on how the db can be changed. Stop shipping our own kpasswd daemon and instead
use the regular kadmin daemon.
Diffstat (limited to 'selinux/ipa_kpasswd')
-rw-r--r-- | selinux/ipa_kpasswd/ipa_kpasswd.fc | 9 | ||||
-rw-r--r-- | selinux/ipa_kpasswd/ipa_kpasswd.te | 80 |
2 files changed, 0 insertions, 89 deletions
diff --git a/selinux/ipa_kpasswd/ipa_kpasswd.fc b/selinux/ipa_kpasswd/ipa_kpasswd.fc deleted file mode 100644 index 2dcf827dd..000000000 --- a/selinux/ipa_kpasswd/ipa_kpasswd.fc +++ /dev/null @@ -1,9 +0,0 @@ -# -# /usr -# -/usr/sbin/ipa_kpasswd -- gen_context(system_u:object_r:ipa_kpasswd_exec_t,s0) - -# -# /var -# -/var/cache/ipa/kpasswd(/.*)? gen_context(system_u:object_r:ipa_kpasswd_ccache_t,s0) diff --git a/selinux/ipa_kpasswd/ipa_kpasswd.te b/selinux/ipa_kpasswd/ipa_kpasswd.te deleted file mode 100644 index 292be7b89..000000000 --- a/selinux/ipa_kpasswd/ipa_kpasswd.te +++ /dev/null @@ -1,80 +0,0 @@ -policy_module(ipa_kpasswd, 1.0) - -######################################## -# -# Declarations -# - -type ipa_kpasswd_t; -type ipa_kpasswd_exec_t; -type ipa_kpasswd_var_run_t; -type ipa_kpasswd_ccache_t; -init_daemon_domain(ipa_kpasswd_t, ipa_kpasswd_exec_t) - -######################################## -# -# IPA kpasswd local policy -# - -allow ipa_kpasswd_t self:capability { sys_nice dac_override }; -allow ipa_kpasswd_t self:tcp_socket create_stream_socket_perms; -allow ipa_kpasswd_t self:udp_socket create_socket_perms; - -files_read_etc_files(ipa_kpasswd_t) -files_search_usr(ipa_kpasswd_t) - -files_pid_file(ipa_kpasswd_var_run_t); -allow ipa_kpasswd_t ipa_kpasswd_var_run_t:file manage_file_perms; -files_pid_filetrans(ipa_kpasswd_t,ipa_kpasswd_var_run_t,file) - -auth_use_nsswitch(ipa_kpasswd_t) - -libs_use_ld_so(ipa_kpasswd_t) -libs_use_shared_libs(ipa_kpasswd_t) - -logging_send_syslog_msg(ipa_kpasswd_t) - -miscfiles_read_localization(ipa_kpasswd_t) - -kerberos_use(ipa_kpasswd_t) -kerberos_manage_host_rcache(ipa_kpasswd_t) -kerberos_read_kdc_config(ipa_kpasswd_t) - -kernel_read_system_state(ipa_kpasswd_t) - -# /var/cache/ipa/kpasswd -files_type(ipa_kpasswd_ccache_t) -manage_dirs_pattern(ipa_kpasswd_t, ipa_kpasswd_ccache_t, ipa_kpasswd_ccache_t) -manage_files_pattern(ipa_kpasswd_t, ipa_kpasswd_ccache_t, ipa_kpasswd_ccache_t) -files_var_filetrans(ipa_kpasswd_t, ipa_kpasswd_ccache_t,dir) - -kernel_read_network_state(ipa_kpasswd_t) -kernel_read_network_state_symlinks(ipa_kpasswd_t) - -corenet_tcp_sendrecv_all_if(ipa_kpasswd_t) -corenet_udp_sendrecv_all_if(ipa_kpasswd_t) -corenet_raw_sendrecv_all_if(ipa_kpasswd_t) -corenet_tcp_sendrecv_all_nodes(ipa_kpasswd_t) -corenet_udp_sendrecv_all_nodes(ipa_kpasswd_t) -corenet_raw_sendrecv_all_nodes(ipa_kpasswd_t) -corenet_tcp_sendrecv_all_ports(ipa_kpasswd_t) -corenet_udp_sendrecv_all_ports(ipa_kpasswd_t) -corenet_non_ipsec_sendrecv(ipa_kpasswd_t) -corenet_tcp_bind_all_nodes(ipa_kpasswd_t) -corenet_udp_bind_all_nodes(ipa_kpasswd_t) -corenet_tcp_bind_kerberos_admin_port(ipa_kpasswd_t) -corenet_udp_bind_kerberos_admin_port(ipa_kpasswd_t) -require { - type krb5kdc_conf_t; -}; - -allow ipa_kpasswd_t krb5kdc_conf_t:dir search_dir_perms; - -optional_policy(` - gen_require(` - type kerberos_password_port_t; - ') - corenet_tcp_bind_kerberos_password_port(ipa_kpasswd_t) - corenet_udp_bind_kerberos_password_port(ipa_kpasswd_t) -') - |