From: aranea@aixah.de (Luis Ressel)
Date: Fri, 14 Feb 2014 20:47:21 +0100
Subject: [refpolicy] [PATCH 3/3] Add a boolean governing kerberos access to
	pcscd.
In-Reply-To: <1392407241-18492-1-git-send-email-aranea@aixah.de>
References: <1392407241-18492-1-git-send-email-aranea@aixah.de>
Message-ID: <1392407241-18492-4-git-send-email-aranea@aixah.de>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

---
 kerberos.if | 4 +++-
 kerberos.te | 9 ++++++++-
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/kerberos.if b/kerberos.if
index f6c00d8..2d72456 100644
--- a/kerberos.if
+++ b/kerberos.if
@@ -108,7 +108,9 @@ interface(`kerberos_use',`
 
 	optional_policy(`
 		tunable_policy(`allow_kerberos',`
-			pcscd_stream_connect($1)
+			tunable_policy(`kerberos_connect_pcscd',`
+				pcscd_stream_connect($1)
+			')
 		')
 	')
 
diff --git a/kerberos.te b/kerberos.te
index 8833d59..eee29ca 100644
--- a/kerberos.te
+++ b/kerberos.te
@@ -1,4 +1,4 @@
-policy_module(kerberos, 1.12.0)
+policy_module(kerberos, 1.12.1)
 
 ########################################
 #
@@ -12,6 +12,13 @@ policy_module(kerberos, 1.12.0)
 ## </desc>
 gen_tunable(allow_kerberos, false)
 
+## <desc>
+##	<p>
+##	Determine whether kerberos can connect to pcscd.
+##	</p>
+## </desc>
+gen_tunable(kerberos_connect_pcscd, false)
+
 type kadmind_t;
 type kadmind_exec_t;
 init_daemon_domain(kadmind_t, kadmind_exec_t)
-- 
1.8.5.4