From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 23 Sep 2013 14:28:38 -0400
Subject: [refpolicy] [PATCH] The kerberos_keytab_template() template is
 deprecated: Breaks monolithic built (out-of-scope)
In-Reply-To: <1376650987-16490-1-git-send-email-dominick.grift@gmail.com>
References: <1376650987-16490-1-git-send-email-dominick.grift@gmail.com>
Message-ID: <52408856.7000904@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 08/16/2013 07:03 AM, Dominick Grift wrote:
> 
> This keytab functionality should be re-evaluated because it does not
> make sense in its current implementation
> 
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
> index eada65c..568c335 100644
> --- a/policy/modules/services/ssh.te
> +++ b/policy/modules/services/ssh.te
> @@ -74,6 +74,9 @@
>  typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
>  userdom_user_home_content(ssh_home_t)
>  
> +type sshd_keytab_t;
> +files_type(sshd_keytab_t)
> +
>  ##############################
>  #
>  # SSH client local policy
> @@ -224,6 +227,8 @@
>  allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
>  allow sshd_t self:key { search link write };
>  
> +allow sshd_t sshd_keytab_t:file read_file_perms;
> +
>  manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
>  manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
>  manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
> @@ -261,7 +266,8 @@
>  ')
>  
>  optional_policy(`
> -	kerberos_keytab_template(sshd, sshd_t)
> +	kerberos_read_keytab(sshd_t)
> +	kerberos_use(sshd_t)
>  ')

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com