daemons: Remove ipa_kpasswd

Now that we have our own database we can properly enforce stricter constraints
on how the db can be changed. Stop shipping our own kpasswd daemon and instead
use the regular kadmin daemon.

4 files changed, 4 insertions, 101 deletions

diff --git a/selinux/Makefile b/selinux/Makefile
index 62b7bf7e..9e87bdd8 100644
--- a/selinux/Makefile
+++ b/selinux/Makefile
@@ -1,4 +1,4 @@
-SUBDIRS = ipa_kpasswd ipa_httpd ipa_dogtag
+SUBDIRS = ipa_httpd ipa_dogtag
 POLICY_MAKEFILE = /usr/share/selinux/devel/Makefile
 POLICY_DIR = $(DESTDIR)/usr/share/selinux/targeted
 
@@ -21,9 +21,8 @@ maintainer-clean: distclean
 
 install: all
 	install -d $(POLICY_DIR)
-	install -m 644 ipa_kpasswd/ipa_kpasswd.pp $(POLICY_DIR)
 	install -m 644 ipa_httpd/ipa_httpd.pp $(POLICY_DIR)
 	install -m 644 ipa_dogtag/ipa_dogtag.pp $(POLICY_DIR)
 
 load:
-	/usr/sbin/semodule -i ipa_kpasswd/ipa_kpasswd.pp ipa_httpd/ipa_httpd.pp
+	/usr/sbin/semodule -i ipa_httpd/ipa_httpd.pp
diff --git a/selinux/ipa-server-selinux.spec.in b/selinux/ipa-server-selinux.spec.in
index 3387553a..b3c7d89c 100644
--- a/selinux/ipa-server-selinux.spec.in
+++ b/selinux/ipa-server-selinux.spec.in
@@ -36,7 +36,6 @@ make DESTDIR=%{buildroot} install
 
 %files
 %{_usr}/share/selinux/targeted/ipa_webgui.pp
-%{_usr}/share/selinux/targeted/ipa_kpasswd.pp
 
 
 %define saveFileContext() \
@@ -61,7 +60,7 @@ fi;
 %saveFileContext targeted
 
 %post
-semodule -s targeted -i /usr/share/selinux/targeted/ipa_webgui.pp /usr/share/selinux/targeted/ipa_kpasswd.pp
+semodule -s targeted -i /usr/share/selinux/targeted/ipa_webgui.pp
 %relabel targeted
 
 %preun
@@ -71,7 +70,7 @@ fi
 
 %postun
 if [ $1 = 0 ]; then
-semodule -s targeted -r ipa_webgui ipa_kpasswd
+semodule -s targeted -r ipa_webgui
 %relabel targeted
 fi
 
diff --git a/selinux/ipa_kpasswd/ipa_kpasswd.fc b/selinux/ipa_kpasswd/ipa_kpasswd.fc
deleted file mode 100644
index 2dcf827d..00000000
--- a/selinux/ipa_kpasswd/ipa_kpasswd.fc
+++ /dev/null
@@ -1,9 +0,0 @@
-#
-# /usr
-#
-/usr/sbin/ipa_kpasswd		--	gen_context(system_u:object_r:ipa_kpasswd_exec_t,s0)
-
-#
-# /var
-#
-/var/cache/ipa/kpasswd(/.*)?  gen_context(system_u:object_r:ipa_kpasswd_ccache_t,s0)
diff --git a/selinux/ipa_kpasswd/ipa_kpasswd.te b/selinux/ipa_kpasswd/ipa_kpasswd.te
deleted file mode 100644
index eefb70bc..00000000
--- a/selinux/ipa_kpasswd/ipa_kpasswd.te
+++ /dev/null
@@ -1,86 +0,0 @@
-policy_module(ipa_kpasswd, 1.0)
-
-########################################
-#
-# Declarations
-#
-
-type ipa_kpasswd_t;
-type ipa_kpasswd_exec_t;
-type ipa_kpasswd_var_run_t;
-type ipa_kpasswd_ccache_t;
-init_daemon_domain(ipa_kpasswd_t, ipa_kpasswd_exec_t)
-
-########################################
-#
-# IPA kpasswd local policy
-#
-
-allow ipa_kpasswd_t self:capability { sys_nice dac_override };
-allow ipa_kpasswd_t self:tcp_socket create_stream_socket_perms;
-allow ipa_kpasswd_t self:udp_socket create_socket_perms;
-
-files_read_etc_files(ipa_kpasswd_t)
-files_search_usr(ipa_kpasswd_t)
-
-files_pid_file(ipa_kpasswd_var_run_t);
-allow ipa_kpasswd_t ipa_kpasswd_var_run_t:file manage_file_perms;
-files_pid_filetrans(ipa_kpasswd_t,ipa_kpasswd_var_run_t,file)
-
-auth_use_nsswitch(ipa_kpasswd_t)
-
-libs_use_ld_so(ipa_kpasswd_t)
-libs_use_shared_libs(ipa_kpasswd_t)
-
-logging_send_syslog_msg(ipa_kpasswd_t)
-
-miscfiles_read_localization(ipa_kpasswd_t)
-
-kerberos_use(ipa_kpasswd_t)
-kerberos_manage_host_rcache(ipa_kpasswd_t)
-kerberos_read_kdc_config(ipa_kpasswd_t)
-
-kernel_read_system_state(ipa_kpasswd_t)
-
-# /var/cache/ipa/kpasswd
-files_type(ipa_kpasswd_ccache_t)
-manage_dirs_pattern(ipa_kpasswd_t, ipa_kpasswd_ccache_t, ipa_kpasswd_ccache_t)
-manage_files_pattern(ipa_kpasswd_t, ipa_kpasswd_ccache_t, ipa_kpasswd_ccache_t)
-files_var_filetrans(ipa_kpasswd_t, ipa_kpasswd_ccache_t,dir)
-
-kernel_read_network_state(ipa_kpasswd_t)
-kernel_read_network_state_symlinks(ipa_kpasswd_t)
-
-corenet_tcp_sendrecv_all_if(ipa_kpasswd_t)
-corenet_udp_sendrecv_all_if(ipa_kpasswd_t)
-corenet_raw_sendrecv_all_if(ipa_kpasswd_t)
-corenet_tcp_sendrecv_all_nodes(ipa_kpasswd_t)
-corenet_udp_sendrecv_all_nodes(ipa_kpasswd_t)
-corenet_raw_sendrecv_all_nodes(ipa_kpasswd_t)
-corenet_tcp_sendrecv_all_ports(ipa_kpasswd_t)
-corenet_udp_sendrecv_all_ports(ipa_kpasswd_t)
-corenet_non_ipsec_sendrecv(ipa_kpasswd_t)
-corenet_tcp_bind_all_nodes(ipa_kpasswd_t)
-corenet_udp_bind_all_nodes(ipa_kpasswd_t)
-corenet_tcp_bind_kerberos_admin_port(ipa_kpasswd_t)
-corenet_udp_bind_kerberos_admin_port(ipa_kpasswd_t)
-corenet_tcp_connect_ldap_port(ipa_kpasswd_t)
-require {
-	type krb5kdc_conf_t; 
-};
-
-allow ipa_kpasswd_t krb5kdc_conf_t:dir search_dir_perms;
-
-optional_policy(`
-    gen_require(`
-             type kerberos_password_port_t;
-    ')
-    corenet_tcp_bind_kerberos_password_port(ipa_kpasswd_t)
-    corenet_udp_bind_kerberos_password_port(ipa_kpasswd_t)
-')
-
-require {
-    type urandom_device_t;
-}
-
-allow ipa_kpasswd_t urandom_device_t:chr_file { open read getattr };