]>
Commit | Line | Data |
---|---|---|
6df9de49 | 1 | policy_module(sysadm, 2.1.4) |
e9c6cda7 CP |
2 | |
3 | ######################################## | |
4 | # | |
5 | # Declarations | |
6 | # | |
7 | ||
8 | ## <desc> | |
9 | ## <p> | |
10 | ## Allow sysadm to debug or ptrace all processes. | |
11 | ## </p> | |
12 | ## </desc> | |
0bfccda4 | 13 | gen_tunable(allow_ptrace, false) |
e9c6cda7 CP |
14 | |
15 | role sysadm_r; | |
16 | ||
17 | userdom_admin_user_template(sysadm) | |
18 | ||
19 | ifndef(`enable_mls',` | |
296273a7 | 20 | userdom_security_admin_template(sysadm_t, sysadm_r) |
e9c6cda7 CP |
21 | ') |
22 | ||
23 | ######################################## | |
24 | # | |
25 | # Local policy | |
26 | # | |
2968e068 | 27 | kernel_read_fs_sysctls(sysadm_t) |
e9c6cda7 CP |
28 | |
29 | corecmd_exec_shell(sysadm_t) | |
30 | ||
3eaa9939 DW |
31 | domain_dontaudit_read_all_domains_state(sysadm_t) |
32 | ||
2968e068 DW |
33 | files_read_kernel_modules(sysadm_t) |
34 | ||
e9c6cda7 | 35 | mls_process_read_up(sysadm_t) |
3eaa9939 DW |
36 | mls_file_read_to_clearance(sysadm_t) |
37 | mls_process_write_to_clearance(sysadm_t) | |
e9c6cda7 | 38 | |
296273a7 CP |
39 | ubac_process_exempt(sysadm_t) |
40 | ubac_file_exempt(sysadm_t) | |
41 | ubac_fd_exempt(sysadm_t) | |
42 | ||
3eaa9939 DW |
43 | application_exec(sysadm_t) |
44 | ||
e9c6cda7 | 45 | init_exec(sysadm_t) |
3eaa9939 DW |
46 | init_exec_script_files(sysadm_t) |
47 | init_dbus_chat(sysadm_t) | |
2968e068 DW |
48 | init_script_role_transition(sysadm_r) |
49 | ||
50 | modutils_read_module_deps(sysadm_t) | |
51 | ||
52 | miscfiles_read_hwdata(sysadm_t) | |
e9c6cda7 | 53 | |
296273a7 CP |
54 | # Add/remove user home directories |
55 | userdom_manage_user_home_dirs(sysadm_t) | |
56 | userdom_home_filetrans_user_home_dir(sysadm_t) | |
3eaa9939 DW |
57 | userdom_manage_user_tmp_dirs(sysadm_t) |
58 | userdom_manage_user_tmp_files(sysadm_t) | |
59 | userdom_manage_user_tmp_symlinks(sysadm_t) | |
60 | userdom_manage_user_tmp_chr_files(sysadm_t) | |
61 | userdom_manage_user_tmp_blk_files(sysadm_t) | |
e9c6cda7 CP |
62 | |
63 | ifdef(`direct_sysadm_daemon',` | |
64 | optional_policy(` | |
296273a7 | 65 | init_run_daemon(sysadm_t, sysadm_r) |
e9c6cda7 CP |
66 | ') |
67 | ',` | |
68 | ifdef(`distro_gentoo',` | |
69 | optional_policy(` | |
296273a7 | 70 | seutil_init_script_run_runinit(sysadm_t, sysadm_r) |
e9c6cda7 CP |
71 | ') |
72 | ') | |
73 | ') | |
74 | ||
75 | ifndef(`enable_mls',` | |
76 | logging_manage_audit_log(sysadm_t) | |
77 | logging_manage_audit_config(sysadm_t) | |
296273a7 | 78 | logging_run_auditctl(sysadm_t, sysadm_r) |
3eaa9939 | 79 | logging_stream_connect_syslog(sysadm_t) |
e9c6cda7 CP |
80 | ') |
81 | ||
82 | tunable_policy(`allow_ptrace',` | |
83 | domain_ptrace_all_domains(sysadm_t) | |
84 | ') | |
85 | ||
86 | optional_policy(` | |
296273a7 | 87 | amanda_run_recover(sysadm_t, sysadm_r) |
e9c6cda7 CP |
88 | ') |
89 | ||
90 | optional_policy(` | |
296273a7 | 91 | apache_run_helper(sysadm_t, sysadm_r) |
e9c6cda7 CP |
92 | #apache_run_all_scripts(sysadm_t, sysadm_r) |
93 | #apache_domtrans_sys_script(sysadm_t) | |
94 | ') | |
95 | ||
96 | optional_policy(` | |
97 | # cjp: why is this not apm_run_client | |
98 | apm_domtrans_client(sysadm_t) | |
99 | ') | |
100 | ||
101 | optional_policy(` | |
296273a7 CP |
102 | apt_run(sysadm_t, sysadm_r) |
103 | ') | |
104 | ||
105 | optional_policy(` | |
106 | auditadm_role_change(sysadm_r) | |
107 | ') | |
108 | ||
296273a7 CP |
109 | optional_policy(` |
110 | backup_run(sysadm_t, sysadm_r) | |
e9c6cda7 CP |
111 | ') |
112 | ||
113 | optional_policy(` | |
296273a7 | 114 | bind_run_ndc(sysadm_t, sysadm_r) |
e9c6cda7 CP |
115 | ') |
116 | ||
e9c6cda7 | 117 | optional_policy(` |
296273a7 | 118 | bootloader_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
119 | ') |
120 | ||
3eaa9939 DW |
121 | optional_policy(` |
122 | certmonger_dbus_chat(sysadm_t) | |
123 | ') | |
124 | ||
e9c6cda7 | 125 | optional_policy(` |
296273a7 | 126 | certwatch_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
127 | ') |
128 | ||
129 | optional_policy(` | |
296273a7 | 130 | clock_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
131 | ') |
132 | ||
133 | optional_policy(` | |
296273a7 | 134 | clockspeed_run_cli(sysadm_t, sysadm_r) |
e9c6cda7 CP |
135 | ') |
136 | ||
137 | optional_policy(` | |
296273a7 | 138 | consoletype_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
139 | ') |
140 | ||
3eaa9939 DW |
141 | optional_policy(` |
142 | daemonstools_run_start(sysadm_t, sysadm_r) | |
e9c6cda7 CP |
143 | ') |
144 | ||
e9c6cda7 | 145 | optional_policy(` |
296273a7 CP |
146 | dcc_run_cdcc(sysadm_t, sysadm_r) |
147 | dcc_run_client(sysadm_t, sysadm_r) | |
148 | dcc_run_dbclean(sysadm_t, sysadm_r) | |
149 | ') | |
150 | ||
151 | optional_policy(` | |
152 | ddcprobe_run(sysadm_t, sysadm_r) | |
e9c6cda7 CP |
153 | ') |
154 | ||
155 | optional_policy(` | |
156 | dmesg_exec(sysadm_t) | |
157 | ') | |
158 | ||
159 | optional_policy(` | |
296273a7 CP |
160 | dmidecode_run(sysadm_t, sysadm_r) |
161 | ') | |
162 | ||
163 | optional_policy(` | |
164 | dpkg_run(sysadm_t, sysadm_r) | |
e9c6cda7 CP |
165 | ') |
166 | ||
e9c6cda7 | 167 | optional_policy(` |
296273a7 | 168 | firstboot_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
169 | ') |
170 | ||
171 | optional_policy(` | |
296273a7 | 172 | fstools_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
173 | ') |
174 | ||
296273a7 CP |
175 | optional_policy(` |
176 | hostname_run(sysadm_t, sysadm_r) | |
e9c6cda7 CP |
177 | ') |
178 | ||
bc71a042 | 179 | optional_policy(` |
641ac054 | 180 | hadoop_role(sysadm_r, sysadm_t) |
bc71a042 PN |
181 | ') |
182 | ||
e9c6cda7 CP |
183 | optional_policy(` |
184 | # allow system administrator to use the ipsec script to look | |
185 | # at things (e.g., ipsec auto --status) | |
186 | # probably should create an ipsec_admin role for this kind of thing | |
187 | ipsec_exec_mgmt(sysadm_t) | |
188 | ipsec_stream_connect(sysadm_t) | |
189 | # for lsof | |
190 | ipsec_getattr_key_sockets(sysadm_t) | |
3eaa9939 DW |
191 | ipsec_run_setkey(sysadm_t, sysadm_r) |
192 | ipsec_run_racoon(sysadm_t, sysadm_r) | |
193 | ipsec_stream_connect_racoon(sysadm_t) | |
194 | ||
195 | optional_policy(` | |
196 | ipsec_mgmt_dbus_chat(sysadm_t) | |
197 | ') | |
e9c6cda7 CP |
198 | ') |
199 | ||
200 | optional_policy(` | |
296273a7 CP |
201 | iptables_run(sysadm_t, sysadm_r) |
202 | ') | |
203 | ||
3eaa9939 DW |
204 | optional_policy(` |
205 | kerberos_exec_kadmind(sysadm_t) | |
206 | ') | |
207 | ||
e9c6cda7 | 208 | optional_policy(` |
296273a7 | 209 | kudzu_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
210 | ') |
211 | ||
212 | optional_policy(` | |
296273a7 | 213 | libs_run_ldconfig(sysadm_t, sysadm_r) |
e9c6cda7 CP |
214 | ') |
215 | ||
e9c6cda7 | 216 | optional_policy(` |
296273a7 | 217 | logrotate_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
218 | ') |
219 | ||
220 | optional_policy(` | |
296273a7 CP |
221 | lpd_run_checkpc(sysadm_t, sysadm_r) |
222 | lpd_role(sysadm_r, sysadm_t) | |
e9c6cda7 CP |
223 | ') |
224 | ||
225 | optional_policy(` | |
296273a7 | 226 | lvm_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
227 | ') |
228 | ||
229 | optional_policy(` | |
296273a7 CP |
230 | modutils_run_depmod(sysadm_t, sysadm_r) |
231 | modutils_run_insmod(sysadm_t, sysadm_r) | |
232 | modutils_run_update_mods(sysadm_t, sysadm_r) | |
e9c6cda7 CP |
233 | ') |
234 | ||
235 | optional_policy(` | |
296273a7 | 236 | mount_run(sysadm_t, sysadm_r) |
3eaa9939 | 237 | mount_run_showmount(sysadm_t, sysadm_r) |
296273a7 CP |
238 | ') |
239 | ||
296273a7 CP |
240 | optional_policy(` |
241 | mta_role(sysadm_r, sysadm_t) | |
e9c6cda7 CP |
242 | ') |
243 | ||
244 | optional_policy(` | |
245 | munin_stream_connect(sysadm_t) | |
246 | ') | |
247 | ||
248 | optional_policy(` | |
249 | mysql_stream_connect(sysadm_t) | |
250 | ') | |
251 | ||
3eaa9939 DW |
252 | optional_policy(` |
253 | ncftool_run(sysadm_t, sysadm_r) | |
254 | ') | |
255 | ||
e9c6cda7 | 256 | optional_policy(` |
296273a7 CP |
257 | netutils_run(sysadm_t, sysadm_r) |
258 | netutils_run_ping(sysadm_t, sysadm_r) | |
259 | netutils_run_traceroute(sysadm_t, sysadm_r) | |
e9c6cda7 CP |
260 | ') |
261 | ||
262 | optional_policy(` | |
263 | ntp_stub() | |
264 | corenet_udp_bind_ntp_port(sysadm_t) | |
265 | ') | |
266 | ||
267 | optional_policy(` | |
296273a7 CP |
268 | oav_run_update(sysadm_t, sysadm_r) |
269 | ') | |
270 | ||
296273a7 CP |
271 | optional_policy(` |
272 | pcmcia_run_cardctl(sysadm_t, sysadm_r) | |
e9c6cda7 CP |
273 | ') |
274 | ||
275 | optional_policy(` | |
296273a7 CP |
276 | portage_run(sysadm_t, sysadm_r) |
277 | portage_run_gcc_config(sysadm_t, sysadm_r) | |
e9c6cda7 CP |
278 | ') |
279 | ||
280 | optional_policy(` | |
296273a7 | 281 | portmap_run_helper(sysadm_t, sysadm_r) |
e9c6cda7 CP |
282 | ') |
283 | ||
3eaa9939 DW |
284 | optional_policy(` |
285 | prelink_run(sysadm_t, sysadm_r) | |
286 | ') | |
287 | ||
e9c6cda7 | 288 | optional_policy(` |
296273a7 | 289 | quota_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
290 | ') |
291 | ||
292 | optional_policy(` | |
293 | raid_domtrans_mdadm(sysadm_t) | |
294 | ') | |
295 | ||
296 | optional_policy(` | |
297 | rpc_domtrans_nfsd(sysadm_t) | |
298 | ') | |
299 | ||
300 | optional_policy(` | |
296273a7 CP |
301 | rpm_run(sysadm_t, sysadm_r) |
302 | ') | |
303 | ||
e9c6cda7 CP |
304 | |
305 | optional_policy(` | |
306 | rsync_exec(sysadm_t) | |
307 | ') | |
308 | ||
309 | optional_policy(` | |
296273a7 CP |
310 | samba_run_net(sysadm_t, sysadm_r) |
311 | samba_run_winbind_helper(sysadm_t, sysadm_r) | |
e9c6cda7 CP |
312 | ') |
313 | ||
314 | optional_policy(` | |
296273a7 | 315 | screen_role_template(sysadm, sysadm_r, sysadm_t) |
e9c6cda7 CP |
316 | ') |
317 | ||
318 | optional_policy(` | |
296273a7 | 319 | secadm_role_change(sysadm_r) |
e9c6cda7 CP |
320 | ') |
321 | ||
322 | optional_policy(` | |
296273a7 CP |
323 | seutil_run_setfiles(sysadm_t, sysadm_r) |
324 | seutil_run_runinit(sysadm_t, sysadm_r) | |
e9c6cda7 CP |
325 | ') |
326 | ||
3eaa9939 DW |
327 | optional_policy(` |
328 | shutdown_run(sysadm_t, sysadm_r) | |
329 | ') | |
330 | ||
e9c6cda7 | 331 | optional_policy(` |
296273a7 CP |
332 | ssh_role_template(sysadm, sysadm_r, sysadm_t) |
333 | ') | |
334 | ||
335 | optional_policy(` | |
336 | staff_role_change(sysadm_r) | |
337 | ') | |
338 | ||
339 | optional_policy(` | |
340 | su_role_template(sysadm, sysadm_r, sysadm_t) | |
341 | ') | |
342 | ||
343 | optional_policy(` | |
344 | sudo_role_template(sysadm, sysadm_r, sysadm_t) | |
345 | ') | |
346 | ||
347 | optional_policy(` | |
348 | sysnet_run_ifconfig(sysadm_t, sysadm_r) | |
349 | sysnet_run_dhcpc(sysadm_t, sysadm_r) | |
350 | ') | |
351 | ||
296273a7 CP |
352 | optional_policy(` |
353 | tripwire_run_siggen(sysadm_t, sysadm_r) | |
354 | tripwire_run_tripwire(sysadm_t, sysadm_r) | |
355 | tripwire_run_twadmin(sysadm_t, sysadm_r) | |
356 | tripwire_run_twprint(sysadm_t, sysadm_r) | |
357 | ') | |
358 | ||
e9c6cda7 CP |
359 | optional_policy(` |
360 | tzdata_domtrans(sysadm_t) | |
361 | ') | |
362 | ||
363 | optional_policy(` | |
b34db7a8 | 364 | unconfined_domtrans(sysadm_t) |
e9c6cda7 CP |
365 | ') |
366 | ||
367 | optional_policy(` | |
296273a7 CP |
368 | unprivuser_role_change(sysadm_r) |
369 | ') | |
370 | ||
371 | optional_policy(` | |
372 | usbmodules_run(sysadm_t, sysadm_r) | |
373 | ') | |
e9c6cda7 | 374 | |
296273a7 CP |
375 | optional_policy(` |
376 | usermanage_run_admin_passwd(sysadm_t, sysadm_r) | |
377 | usermanage_run_groupadd(sysadm_t, sysadm_r) | |
378 | usermanage_run_useradd(sysadm_t, sysadm_r) | |
379 | ') | |
380 | ||
3eaa9939 DW |
381 | |
382 | optional_policy(` | |
383 | vpn_run(sysadm_t, sysadm_r) | |
384 | ') | |
e9c6cda7 CP |
385 | |
386 | optional_policy(` | |
296273a7 | 387 | vpn_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
388 | ') |
389 | ||
390 | optional_policy(` | |
296273a7 | 391 | webalizer_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
392 | ') |
393 | ||
3eaa9939 DW |
394 | optional_policy(` |
395 | virt_stream_connect(sysadm_t) | |
396 | ') | |
397 | ||
d35e2ee0 | 398 | optional_policy(` |
7f9f5bce | 399 | vlock_run(sysadm_t, sysadm_r) |
d35e2ee0 HC |
400 | ') |
401 | ||
e9c6cda7 | 402 | optional_policy(` |
296273a7 | 403 | xserver_role(sysadm_r, sysadm_t) |
e9c6cda7 CP |
404 | ') |
405 | ||
406 | optional_policy(` | |
296273a7 | 407 | yam_run(sysadm_t, sysadm_r) |
e9c6cda7 | 408 | ') |
c87e1502 | 409 | |
3eaa9939 DW |
410 | optional_policy(` |
411 | zebra_stream_connect(sysadm_t) | |
c87e1502 JS |
412 | ') |
413 | ||
2968e068 DW |
414 | ifndef(`distro_redhat',` |
415 | optional_policy(` | |
416 | apache_role(sysadm_r, sysadm_t) | |
417 | ') | |
418 | optional_policy(` | |
419 | auth_role(sysadm_r, sysadm_t) | |
420 | ') | |
3eaa9939 | 421 | |
2968e068 DW |
422 | optional_policy(` |
423 | bluetooth_role(sysadm_r, sysadm_t) | |
424 | ') | |
425 | ||
426 | optional_policy(` | |
427 | cdrecord_role(sysadm_r, sysadm_t) | |
428 | ') | |
429 | ||
430 | optional_policy(` | |
431 | cron_admin_role(sysadm_r, sysadm_t) | |
432 | ') | |
433 | ||
434 | optional_policy(` | |
435 | dbus_role_template(sysadm, sysadm_r, sysadm_t) | |
436 | ') | |
437 | ||
438 | optional_policy(` | |
439 | evolution_role(sysadm_r, sysadm_t) | |
440 | ') | |
441 | ||
442 | optional_policy(` | |
443 | games_role(sysadm_r, sysadm_t) | |
444 | ') | |
445 | ||
446 | optional_policy(` | |
447 | gift_role(sysadm_r, sysadm_t) | |
448 | ') | |
449 | ||
450 | optional_policy(` | |
451 | gnome_role(sysadm_r, sysadm_t) | |
452 | ') | |
453 | ||
454 | optional_policy(` | |
455 | gpg_role(sysadm_r, sysadm_t) | |
456 | ') | |
457 | ||
458 | optional_policy(` | |
459 | irc_role(sysadm_r, sysadm_t) | |
460 | ') | |
461 | ||
462 | optional_policy(` | |
463 | java_role(sysadm_r, sysadm_t) | |
464 | ') | |
465 | ||
466 | optional_policy(` | |
467 | lockdev_role(sysadm_r, sysadm_t) | |
468 | ') | |
469 | ||
470 | optional_policy(` | |
471 | mozilla_role(sysadm_r, sysadm_t) | |
472 | ') | |
473 | ||
474 | optional_policy(` | |
475 | mplayer_role(sysadm_r, sysadm_t) | |
476 | ') | |
477 | ||
478 | optional_policy(` | |
479 | pyzor_role(sysadm_r, sysadm_t) | |
480 | ') | |
481 | ||
482 | optional_policy(` | |
483 | razor_role(sysadm_r, sysadm_t) | |
484 | ') | |
485 | ||
486 | optional_policy(` | |
487 | rssh_role(sysadm_r, sysadm_t) | |
488 | ') | |
489 | ||
490 | optional_policy(` | |
491 | spamassassin_role(sysadm_r, sysadm_t) | |
492 | ') | |
493 | ||
494 | optional_policy(` | |
495 | thunderbird_role(sysadm_r, sysadm_t) | |
496 | ') | |
497 | ||
498 | optional_policy(` | |
499 | tvtime_role(sysadm_r, sysadm_t) | |
500 | ') | |
501 | ||
502 | optional_policy(` | |
503 | uml_role(sysadm_r, sysadm_t) | |
504 | ') | |
505 | ||
506 | optional_policy(` | |
507 | userhelper_role_template(sysadm, sysadm_r, sysadm_t) | |
508 | ') | |
509 | ||
510 | optional_policy(` | |
511 | vmware_role(sysadm_r, sysadm_t) | |
512 | ') | |
513 | ||
514 | optional_policy(` | |
515 | wireshark_role(sysadm_r, sysadm_t) | |
516 | ') | |
517 | ||
518 | optional_policy(` | |
519 | xserver_role(sysadm_r, sysadm_t) | |
520 | ') | |
521 | ') |