I cannot think of anything that Kerberos applications need other than network and urandom. The KDC does not need write access to the database, although of course kadmind does. You probably want to make it difficult for either the KDC or the kadmind to execute other programs or switch domains to limit the efficacy of a compromise. --Sam