From: dwalsh@redhat.com (Daniel J Walsh) Date: Mon, 26 Aug 2013 09:49:53 -0400 Subject: [refpolicy] [PATCH] The kerberos_keytab_template() template is deprecated: Breaks monolithic built (out-of-scope) In-Reply-To: <5214BE77.2080004@tresys.com> References: <1376650987-16490-1-git-send-email-dominick.grift@gmail.com> <5214BE77.2080004@tresys.com> Message-ID: <521B5D01.9080609@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/21/2013 09:19 AM, Christopher J. PeBenito wrote: > Dan/Miroslav, do you have any comments on the keytab functions? I don't > have a kerberos system to look at. > > Dominick, from your contrib commit, you're saying that you looked at this > because it breaks monolithic? Its too bad the toolchain can't emit > file_context files out of semodule_expand, as then we could build all > policies as modular, and then if monolithic is requested, simply expand out > the modules into policy.2x and file_context files. > I think this is a good idea. We should change to this. I was never a fan of creating types in interfaces for all of the weird side effects and makes code harder to understand. > On 08/16/2013 07:03 AM, Dominick Grift wrote: >> This keytab functionality should be re-evaluated because it does not make >> sense in its current implementation >> >> Signed-off-by: Dominick Grift diff --git >> a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index >> eada65c..568c335 100644 --- a/policy/modules/services/ssh.te +++ >> b/policy/modules/services/ssh.te @@ -74,6 +74,9 @@ typealias ssh_home_t >> alias { auditadm_home_ssh_t secadm_home_ssh_t }; >> userdom_user_home_content(ssh_home_t) >> >> +type sshd_keytab_t; +files_type(sshd_keytab_t) + >> ############################## # # SSH client local policy @@ -224,6 >> +227,8 @@ allow sshd_t self:netlink_route_socket r_netlink_socket_perms; >> allow sshd_t self:key { search link write }; >> >> +allow sshd_t sshd_keytab_t:file read_file_perms; + >> manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) >> manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) >> manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) @@ -261,7 >> +266,8 @@ ') >> >> optional_policy(` - kerberos_keytab_template(sshd, sshd_t) + >> kerberos_read_keytab(sshd_t) + kerberos_use(sshd_t) ') >> >> optional_policy(` _______________________________________________ >> refpolicy mailing list refpolicy at oss.tresys.com >> http://oss.tresys.com/mailman/listinfo/refpolicy >> > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlIbXQEACgkQrlYvE4MpobOLLACg58KPX0C0zSwVXLnBVkn36DM1 GvcAoNVw28+hCXmRfsAPsvlp8xLqCmPw =DT/w -----END PGP SIGNATURE-----