From: pebenito@ieee.org (Chris PeBenito)
Date: Wed, 1 Nov 2017 18:54:25 -0400
Subject: [refpolicy] [PATCH 1/3] kerberos: Introduce
 kerberos_filetrans_named_content interface
In-Reply-To: <20171031053758.7816-1-jason@perfinion.com>
References: <20171031053758.7816-1-jason@perfinion.com>
Message-ID: <e1d869b6-5fed-68f6-3a73-4d26c3d98019@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 10/31/2017 01:37 AM, Jason Zaman wrote:
> ---
>   kerberos.if | 35 +++++++++++++++++++++++++++++++++++
>   1 file changed, 35 insertions(+)
> 
> diff --git a/kerberos.if b/kerberos.if
> index c8c5a37..8b46c1b 100644
> --- a/kerberos.if
> +++ b/kerberos.if
> @@ -425,6 +425,41 @@ interface(`kerberos_connect_524',`
>   
>   ########################################
>   ## <summary>
> +##	Transition to kerberos named content
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##      Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`kerberos_filetrans_named_content',`
> +	gen_require(`
> +		type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
> +		type krb5kdc_principal_t;
> +	')
> +
> +	files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf")
> +	filetrans_pattern($1, krb5kdc_conf_t, krb5_keytab_t, file, "kadm5.keytab")
> +	filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal")
> +	filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal0")
> +	filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1")
> +
> +	kerberos_etc_filetrans_keytab($1, file, "krb5.keytab")
> +
> +	kerberos_tmp_filetrans_host_rcache($1, file, "DNS_25")
> +	kerberos_tmp_filetrans_host_rcache($1, file, "host_0")
> +	kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_23")
> +	kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_48")
> +	kerberos_tmp_filetrans_host_rcache($1, file, "imap_0")
> +	kerberos_tmp_filetrans_host_rcache($1, file, "nfs_0")
> +	kerberos_tmp_filetrans_host_rcache($1, file, "ldapmap1_0")
> +	kerberos_tmp_filetrans_host_rcache($1, file, "ldap_487")
> +	kerberos_tmp_filetrans_host_rcache($1, file, "ldap_55")
> +')

Can we do something better than this?  It's ugly.  Are all the named 
transitions really needed?


-- 
Chris PeBenito