From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Mon, 23 Sep 2013 14:28:38 -0400 Subject: [refpolicy] [PATCH] The kerberos_keytab_template() template is deprecated: Breaks monolithic built (out-of-scope) In-Reply-To: <1376650987-16490-1-git-send-email-dominick.grift@gmail.com> References: <1376650987-16490-1-git-send-email-dominick.grift@gmail.com> Message-ID: <52408856.7000904@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/16/2013 07:03 AM, Dominick Grift wrote: > > This keytab functionality should be re-evaluated because it does not > make sense in its current implementation > > Signed-off-by: Dominick Grift > diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te > index eada65c..568c335 100644 > --- a/policy/modules/services/ssh.te > +++ b/policy/modules/services/ssh.te > @@ -74,6 +74,9 @@ > typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t }; > userdom_user_home_content(ssh_home_t) > > +type sshd_keytab_t; > +files_type(sshd_keytab_t) > + > ############################## > # > # SSH client local policy > @@ -224,6 +227,8 @@ > allow sshd_t self:netlink_route_socket r_netlink_socket_perms; > allow sshd_t self:key { search link write }; > > +allow sshd_t sshd_keytab_t:file read_file_perms; > + > manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) > manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) > manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) > @@ -261,7 +266,8 @@ > ') > > optional_policy(` > - kerberos_keytab_template(sshd, sshd_t) > + kerberos_read_keytab(sshd_t) > + kerberos_use(sshd_t) > ') Merged. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com