From 039581d1ed67901f244679c80310bf6951dd10e6 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 7 Apr 2008 23:38:51 -0400
Subject: Some SELinux policy changes provided by Dan Walsh.

440651
---
 ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.te | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'ipa-server/selinux')

diff --git a/ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.te b/ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.te
index 328043fd7..55e65cc39 100644
--- a/ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.te
+++ b/ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.te
@@ -16,6 +16,7 @@ init_daemon_domain(ipa_kpasswd_t, ipa_kpasswd_exec_t)
 # IPA kpasswd local policy
 #
 
+allow ipa_kpasswd_t self:capability { sys_nice dac_override };
 allow ipa_kpasswd_t self:tcp_socket create_stream_socket_perms;
 allow ipa_kpasswd_t self:udp_socket create_socket_perms;
 
@@ -36,6 +37,8 @@ logging_send_syslog_msg(ipa_kpasswd_t)
 miscfiles_read_localization(ipa_kpasswd_t)
 
 kerberos_use(ipa_kpasswd_t)
+kerberos_manage_host_rcache(ipa_kpasswd_t)
+kerberos_read_kdc_config(ipa_kpasswd_t)
 
 kernel_read_system_state(ipa_kpasswd_t)
 
@@ -58,3 +61,8 @@ corenet_tcp_bind_all_nodes(ipa_kpasswd_t)
 corenet_udp_bind_all_nodes(ipa_kpasswd_t)
 corenet_tcp_bind_kerberos_admin_port(ipa_kpasswd_t)
 corenet_udp_bind_kerberos_admin_port(ipa_kpasswd_t)
+require {
+	type krb5kdc_conf_t; 
+};
+
+allow ipa_kpasswd_t krb5kdc_conf_t:dir search_dir_perms;
-- 
cgit