]>
Commit | Line | Data |
---|---|---|
08690c84 | 1 | policy_module(sysadm, 2.1.1) |
e9c6cda7 CP |
2 | |
3 | ######################################## | |
4 | # | |
5 | # Declarations | |
6 | # | |
7 | ||
8 | ## <desc> | |
9 | ## <p> | |
10 | ## Allow sysadm to debug or ptrace all processes. | |
11 | ## </p> | |
12 | ## </desc> | |
0bfccda4 | 13 | gen_tunable(allow_ptrace, false) |
e9c6cda7 CP |
14 | |
15 | role sysadm_r; | |
16 | ||
17 | userdom_admin_user_template(sysadm) | |
18 | ||
19 | ifndef(`enable_mls',` | |
296273a7 | 20 | userdom_security_admin_template(sysadm_t, sysadm_r) |
e9c6cda7 CP |
21 | ') |
22 | ||
23 | ######################################## | |
24 | # | |
25 | # Local policy | |
26 | # | |
27 | ||
28 | corecmd_exec_shell(sysadm_t) | |
29 | ||
30 | mls_process_read_up(sysadm_t) | |
31 | ||
296273a7 CP |
32 | ubac_process_exempt(sysadm_t) |
33 | ubac_file_exempt(sysadm_t) | |
34 | ubac_fd_exempt(sysadm_t) | |
35 | ||
e9c6cda7 CP |
36 | init_exec(sysadm_t) |
37 | ||
296273a7 CP |
38 | # Add/remove user home directories |
39 | userdom_manage_user_home_dirs(sysadm_t) | |
40 | userdom_home_filetrans_user_home_dir(sysadm_t) | |
e9c6cda7 CP |
41 | |
42 | ifdef(`direct_sysadm_daemon',` | |
43 | optional_policy(` | |
296273a7 | 44 | init_run_daemon(sysadm_t, sysadm_r) |
e9c6cda7 CP |
45 | ') |
46 | ',` | |
47 | ifdef(`distro_gentoo',` | |
48 | optional_policy(` | |
296273a7 | 49 | seutil_init_script_run_runinit(sysadm_t, sysadm_r) |
e9c6cda7 CP |
50 | ') |
51 | ') | |
52 | ') | |
53 | ||
54 | ifndef(`enable_mls',` | |
55 | logging_manage_audit_log(sysadm_t) | |
56 | logging_manage_audit_config(sysadm_t) | |
296273a7 | 57 | logging_run_auditctl(sysadm_t, sysadm_r) |
e9c6cda7 CP |
58 | ') |
59 | ||
60 | tunable_policy(`allow_ptrace',` | |
61 | domain_ptrace_all_domains(sysadm_t) | |
62 | ') | |
63 | ||
64 | optional_policy(` | |
296273a7 | 65 | amanda_run_recover(sysadm_t, sysadm_r) |
e9c6cda7 CP |
66 | ') |
67 | ||
68 | optional_policy(` | |
296273a7 | 69 | apache_run_helper(sysadm_t, sysadm_r) |
e9c6cda7 CP |
70 | #apache_run_all_scripts(sysadm_t, sysadm_r) |
71 | #apache_domtrans_sys_script(sysadm_t) | |
296273a7 | 72 | apache_role(sysadm_r, sysadm_t) |
e9c6cda7 CP |
73 | ') |
74 | ||
75 | optional_policy(` | |
76 | # cjp: why is this not apm_run_client | |
77 | apm_domtrans_client(sysadm_t) | |
78 | ') | |
79 | ||
80 | optional_policy(` | |
296273a7 CP |
81 | apt_run(sysadm_t, sysadm_r) |
82 | ') | |
83 | ||
84 | optional_policy(` | |
85 | auditadm_role_change(sysadm_r) | |
86 | ') | |
87 | ||
88 | optional_policy(` | |
89 | auth_role(sysadm_r, sysadm_t) | |
90 | ') | |
91 | ||
92 | optional_policy(` | |
93 | backup_run(sysadm_t, sysadm_r) | |
e9c6cda7 CP |
94 | ') |
95 | ||
96 | optional_policy(` | |
296273a7 | 97 | bind_run_ndc(sysadm_t, sysadm_r) |
e9c6cda7 CP |
98 | ') |
99 | ||
100 | optional_policy(` | |
296273a7 | 101 | bluetooth_role(sysadm_r, sysadm_t) |
e9c6cda7 CP |
102 | ') |
103 | ||
104 | optional_policy(` | |
296273a7 | 105 | bootloader_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
106 | ') |
107 | ||
108 | optional_policy(` | |
296273a7 | 109 | cdrecord_role(sysadm_r, sysadm_t) |
e9c6cda7 CP |
110 | ') |
111 | ||
112 | optional_policy(` | |
296273a7 | 113 | certwatch_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
114 | ') |
115 | ||
116 | optional_policy(` | |
296273a7 | 117 | clock_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
118 | ') |
119 | ||
120 | optional_policy(` | |
296273a7 | 121 | clockspeed_run_cli(sysadm_t, sysadm_r) |
e9c6cda7 CP |
122 | ') |
123 | ||
124 | optional_policy(` | |
296273a7 | 125 | consoletype_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
126 | ') |
127 | ||
128 | optional_policy(` | |
296273a7 | 129 | cron_admin_role(sysadm_r, sysadm_t) |
e9c6cda7 CP |
130 | ') |
131 | ||
132 | optional_policy(` | |
133 | cvs_exec(sysadm_t) | |
134 | ') | |
135 | ||
136 | optional_policy(` | |
296273a7 | 137 | dbus_role_template(sysadm, sysadm_r, sysadm_t) |
e9c6cda7 CP |
138 | ') |
139 | ||
140 | optional_policy(` | |
296273a7 CP |
141 | dcc_run_cdcc(sysadm_t, sysadm_r) |
142 | dcc_run_client(sysadm_t, sysadm_r) | |
143 | dcc_run_dbclean(sysadm_t, sysadm_r) | |
144 | ') | |
145 | ||
146 | optional_policy(` | |
147 | ddcprobe_run(sysadm_t, sysadm_r) | |
e9c6cda7 CP |
148 | ') |
149 | ||
150 | optional_policy(` | |
151 | dmesg_exec(sysadm_t) | |
152 | ') | |
153 | ||
154 | optional_policy(` | |
296273a7 CP |
155 | dmidecode_run(sysadm_t, sysadm_r) |
156 | ') | |
157 | ||
158 | optional_policy(` | |
159 | dpkg_run(sysadm_t, sysadm_r) | |
e9c6cda7 CP |
160 | ') |
161 | ||
e9c6cda7 | 162 | optional_policy(` |
296273a7 | 163 | evolution_role(sysadm_r, sysadm_t) |
e9c6cda7 CP |
164 | ') |
165 | ||
166 | optional_policy(` | |
296273a7 | 167 | firstboot_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
168 | ') |
169 | ||
170 | optional_policy(` | |
296273a7 | 171 | fstools_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
172 | ') |
173 | ||
174 | optional_policy(` | |
296273a7 CP |
175 | games_role(sysadm_r, sysadm_t) |
176 | ') | |
177 | ||
178 | optional_policy(` | |
179 | gift_role(sysadm_r, sysadm_t) | |
180 | ') | |
181 | ||
182 | optional_policy(` | |
183 | gnome_role(sysadm_r, sysadm_t) | |
184 | ') | |
185 | ||
186 | optional_policy(` | |
187 | gpg_role(sysadm_r, sysadm_t) | |
188 | ') | |
189 | ||
190 | optional_policy(` | |
191 | hostname_run(sysadm_t, sysadm_r) | |
e9c6cda7 CP |
192 | ') |
193 | ||
194 | optional_policy(` | |
195 | # allow system administrator to use the ipsec script to look | |
196 | # at things (e.g., ipsec auto --status) | |
197 | # probably should create an ipsec_admin role for this kind of thing | |
198 | ipsec_exec_mgmt(sysadm_t) | |
199 | ipsec_stream_connect(sysadm_t) | |
200 | # for lsof | |
201 | ipsec_getattr_key_sockets(sysadm_t) | |
202 | ') | |
203 | ||
204 | optional_policy(` | |
296273a7 CP |
205 | iptables_run(sysadm_t, sysadm_r) |
206 | ') | |
207 | ||
208 | optional_policy(` | |
209 | irc_role(sysadm_r, sysadm_t) | |
210 | ') | |
211 | ||
212 | optional_policy(` | |
213 | java_role(sysadm_r, sysadm_t) | |
e9c6cda7 CP |
214 | ') |
215 | ||
216 | optional_policy(` | |
296273a7 | 217 | kudzu_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
218 | ') |
219 | ||
220 | optional_policy(` | |
296273a7 | 221 | libs_run_ldconfig(sysadm_t, sysadm_r) |
e9c6cda7 CP |
222 | ') |
223 | ||
224 | optional_policy(` | |
296273a7 | 225 | lockdev_role(sysadm_r, sysadm_t) |
e9c6cda7 CP |
226 | ') |
227 | ||
228 | optional_policy(` | |
296273a7 | 229 | logrotate_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
230 | ') |
231 | ||
232 | optional_policy(` | |
296273a7 CP |
233 | lpd_run_checkpc(sysadm_t, sysadm_r) |
234 | lpd_role(sysadm_r, sysadm_t) | |
e9c6cda7 CP |
235 | ') |
236 | ||
237 | optional_policy(` | |
296273a7 | 238 | lvm_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
239 | ') |
240 | ||
241 | optional_policy(` | |
296273a7 CP |
242 | modutils_run_depmod(sysadm_t, sysadm_r) |
243 | modutils_run_insmod(sysadm_t, sysadm_r) | |
244 | modutils_run_update_mods(sysadm_t, sysadm_r) | |
e9c6cda7 CP |
245 | ') |
246 | ||
247 | optional_policy(` | |
296273a7 CP |
248 | mount_run(sysadm_t, sysadm_r) |
249 | ') | |
250 | ||
251 | optional_policy(` | |
252 | mozilla_role(sysadm_r, sysadm_t) | |
253 | ') | |
254 | ||
255 | optional_policy(` | |
256 | mplayer_role(sysadm_r, sysadm_t) | |
257 | ') | |
258 | ||
259 | optional_policy(` | |
260 | mta_role(sysadm_r, sysadm_t) | |
e9c6cda7 CP |
261 | ') |
262 | ||
263 | optional_policy(` | |
264 | munin_stream_connect(sysadm_t) | |
265 | ') | |
266 | ||
267 | optional_policy(` | |
268 | mysql_stream_connect(sysadm_t) | |
269 | ') | |
270 | ||
271 | optional_policy(` | |
296273a7 CP |
272 | netutils_run(sysadm_t, sysadm_r) |
273 | netutils_run_ping(sysadm_t, sysadm_r) | |
274 | netutils_run_traceroute(sysadm_t, sysadm_r) | |
e9c6cda7 CP |
275 | ') |
276 | ||
277 | optional_policy(` | |
278 | ntp_stub() | |
279 | corenet_udp_bind_ntp_port(sysadm_t) | |
280 | ') | |
281 | ||
282 | optional_policy(` | |
296273a7 CP |
283 | oav_run_update(sysadm_t, sysadm_r) |
284 | ') | |
285 | ||
286 | optional_policy(` | |
287 | oident_manage_user_content(sysadm_t) | |
288 | oident_relabel_user_content(sysadm_t) | |
289 | ') | |
290 | ||
291 | optional_policy(` | |
292 | pcmcia_run_cardctl(sysadm_t, sysadm_r) | |
e9c6cda7 CP |
293 | ') |
294 | ||
295 | optional_policy(` | |
296273a7 CP |
296 | portage_run(sysadm_t, sysadm_r) |
297 | portage_run_gcc_config(sysadm_t, sysadm_r) | |
e9c6cda7 CP |
298 | ') |
299 | ||
300 | optional_policy(` | |
296273a7 | 301 | portmap_run_helper(sysadm_t, sysadm_r) |
e9c6cda7 CP |
302 | ') |
303 | ||
304 | optional_policy(` | |
296273a7 | 305 | pyzor_role(sysadm_r, sysadm_t) |
e9c6cda7 CP |
306 | ') |
307 | ||
308 | optional_policy(` | |
296273a7 | 309 | quota_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
310 | ') |
311 | ||
312 | optional_policy(` | |
313 | raid_domtrans_mdadm(sysadm_t) | |
314 | ') | |
315 | ||
296273a7 CP |
316 | optional_policy(` |
317 | razor_role(sysadm_r, sysadm_t) | |
318 | ') | |
319 | ||
e9c6cda7 CP |
320 | optional_policy(` |
321 | rpc_domtrans_nfsd(sysadm_t) | |
322 | ') | |
323 | ||
324 | optional_policy(` | |
296273a7 CP |
325 | rpm_run(sysadm_t, sysadm_r) |
326 | ') | |
327 | ||
328 | optional_policy(` | |
329 | rssh_role(sysadm_r, sysadm_t) | |
e9c6cda7 CP |
330 | ') |
331 | ||
332 | optional_policy(` | |
333 | rsync_exec(sysadm_t) | |
334 | ') | |
335 | ||
336 | optional_policy(` | |
296273a7 CP |
337 | samba_run_net(sysadm_t, sysadm_r) |
338 | samba_run_winbind_helper(sysadm_t, sysadm_r) | |
e9c6cda7 CP |
339 | ') |
340 | ||
341 | optional_policy(` | |
296273a7 | 342 | screen_role_template(sysadm, sysadm_r, sysadm_t) |
e9c6cda7 CP |
343 | ') |
344 | ||
345 | optional_policy(` | |
296273a7 | 346 | secadm_role_change(sysadm_r) |
e9c6cda7 CP |
347 | ') |
348 | ||
349 | optional_policy(` | |
296273a7 CP |
350 | seutil_run_setfiles(sysadm_t, sysadm_r) |
351 | seutil_run_runinit(sysadm_t, sysadm_r) | |
e9c6cda7 CP |
352 | ') |
353 | ||
354 | optional_policy(` | |
296273a7 | 355 | spamassassin_role(sysadm_r, sysadm_t) |
e9c6cda7 CP |
356 | ') |
357 | ||
358 | optional_policy(` | |
296273a7 CP |
359 | ssh_role_template(sysadm, sysadm_r, sysadm_t) |
360 | ') | |
361 | ||
362 | optional_policy(` | |
363 | staff_role_change(sysadm_r) | |
364 | ') | |
365 | ||
366 | optional_policy(` | |
367 | su_role_template(sysadm, sysadm_r, sysadm_t) | |
368 | ') | |
369 | ||
370 | optional_policy(` | |
371 | sudo_role_template(sysadm, sysadm_r, sysadm_t) | |
372 | ') | |
373 | ||
374 | optional_policy(` | |
375 | sysnet_run_ifconfig(sysadm_t, sysadm_r) | |
376 | sysnet_run_dhcpc(sysadm_t, sysadm_r) | |
377 | ') | |
378 | ||
379 | optional_policy(` | |
380 | thunderbird_role(sysadm_r, sysadm_t) | |
381 | ') | |
382 | ||
383 | optional_policy(` | |
384 | tripwire_run_siggen(sysadm_t, sysadm_r) | |
385 | tripwire_run_tripwire(sysadm_t, sysadm_r) | |
386 | tripwire_run_twadmin(sysadm_t, sysadm_r) | |
387 | tripwire_run_twprint(sysadm_t, sysadm_r) | |
388 | ') | |
389 | ||
390 | optional_policy(` | |
391 | tvtime_role(sysadm_r, sysadm_t) | |
e9c6cda7 CP |
392 | ') |
393 | ||
394 | optional_policy(` | |
395 | tzdata_domtrans(sysadm_t) | |
396 | ') | |
397 | ||
296273a7 CP |
398 | optional_policy(` |
399 | uml_role(sysadm_r, sysadm_t) | |
400 | ') | |
401 | ||
e9c6cda7 | 402 | optional_policy(` |
b34db7a8 | 403 | unconfined_domtrans(sysadm_t) |
e9c6cda7 CP |
404 | ') |
405 | ||
406 | optional_policy(` | |
296273a7 CP |
407 | unprivuser_role_change(sysadm_r) |
408 | ') | |
409 | ||
410 | optional_policy(` | |
411 | usbmodules_run(sysadm_t, sysadm_r) | |
412 | ') | |
e9c6cda7 | 413 | |
296273a7 CP |
414 | optional_policy(` |
415 | userhelper_role_template(sysadm, sysadm_r, sysadm_t) | |
416 | ') | |
417 | ||
418 | optional_policy(` | |
419 | usermanage_run_admin_passwd(sysadm_t, sysadm_r) | |
420 | usermanage_run_groupadd(sysadm_t, sysadm_r) | |
421 | usermanage_run_useradd(sysadm_t, sysadm_r) | |
422 | ') | |
423 | ||
424 | optional_policy(` | |
425 | vmware_role(sysadm_r, sysadm_t) | |
e9c6cda7 CP |
426 | ') |
427 | ||
428 | optional_policy(` | |
296273a7 | 429 | vpn_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
430 | ') |
431 | ||
432 | optional_policy(` | |
296273a7 | 433 | webalizer_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
434 | ') |
435 | ||
436 | optional_policy(` | |
296273a7 | 437 | wireshark_role(sysadm_r, sysadm_t) |
e9c6cda7 CP |
438 | ') |
439 | ||
440 | optional_policy(` | |
296273a7 | 441 | xserver_role(sysadm_r, sysadm_t) |
e9c6cda7 CP |
442 | ') |
443 | ||
444 | optional_policy(` | |
296273a7 | 445 | yam_run(sysadm_t, sysadm_r) |
e9c6cda7 | 446 | ') |