[people/stevee/selinux-policy.git] / policy / modules / roles / sysadm.te

policy_module(sysadm, 2.2.1)

########################################
#
# Declarations
#

## <desc>
## <p>
## Allow sysadm to debug or ptrace all processes.
## </p>
## </desc>
gen_tunable(allow_ptrace, false)

role sysadm_r;

userdom_admin_user_template(sysadm)

ifndef(`enable_mls',`
	userdom_security_admin_template(sysadm_t, sysadm_r)
')

########################################
#
# Local policy
#
kernel_read_fs_sysctls(sysadm_t)

corecmd_exec_shell(sysadm_t)

domain_dontaudit_read_all_domains_state(sysadm_t)

files_read_kernel_modules(sysadm_t)

dev_filetrans_all_named_dev(sysadm_t)
storage_filetrans_all_named_dev(sysadm_t)
term_filetrans_all_named_dev(sysadm_t)

mls_process_read_up(sysadm_t)
mls_file_read_to_clearance(sysadm_t)
mls_process_write_to_clearance(sysadm_t)

storage_setattr_fixed_disk_dev(sysadm_t)

ubac_process_exempt(sysadm_t)
ubac_file_exempt(sysadm_t)
ubac_fd_exempt(sysadm_t)

application_exec(sysadm_t)

init_exec(sysadm_t)
init_exec_script_files(sysadm_t)
init_dbus_chat(sysadm_t)
init_script_role_transition(sysadm_r)

miscfiles_filetrans_named_content(sysadm_t)
miscfiles_read_hwdata(sysadm_t)

sysnet_filetrans_named_content(sysadm_t)

# Add/remove user home directories
userdom_manage_user_home_dirs(sysadm_t)
userdom_home_filetrans_user_home_dir(sysadm_t)
userdom_manage_tmp_role(sysadm_r, sysadm_t)

optional_policy(`
	alsa_filetrans_named_content(sysadm_t)
')

optional_policy(`
	ssh_filetrans_admin_home_content(sysadm_t)
')

ifdef(`direct_sysadm_daemon',`
	optional_policy(`
		init_run_daemon(sysadm_t, sysadm_r)
	')
',`
	ifdef(`distro_gentoo',`
		optional_policy(`
			seutil_init_script_run_runinit(sysadm_t, sysadm_r)
		')
	')
')

ifndef(`enable_mls',`
	logging_manage_audit_log(sysadm_t)
	logging_manage_audit_config(sysadm_t)
	logging_run_auditctl(sysadm_t, sysadm_r)
	logging_stream_connect_syslog(sysadm_t)
')

tunable_policy(`allow_ptrace',`
	domain_ptrace_all_domains(sysadm_t)
')

optional_policy(`
	amanda_run_recover(sysadm_t, sysadm_r)
')

optional_policy(`
	apache_run_helper(sysadm_t, sysadm_r)
	apache_filetrans_home_content(sysadm_t)
	#apache_run_all_scripts(sysadm_t, sysadm_r)
	#apache_domtrans_sys_script(sysadm_t)
')

optional_policy(`
	# cjp: why is this not apm_run_client
	apm_domtrans_client(sysadm_t)
')

optional_policy(`
	apt_run(sysadm_t, sysadm_r)
')

optional_policy(`
	auditadm_role_change(sysadm_r)
')

optional_policy(`
	backup_run(sysadm_t, sysadm_r)
')

optional_policy(`
	bind_run_ndc(sysadm_t, sysadm_r)
')

optional_policy(`
	bootloader_run(sysadm_t, sysadm_r)
')

optional_policy(`
	certmonger_dbus_chat(sysadm_t)
')

optional_policy(`
	certwatch_run(sysadm_t, sysadm_r)
')

optional_policy(`
	clock_run(sysadm_t, sysadm_r)
')

optional_policy(`
	clockspeed_run_cli(sysadm_t, sysadm_r)
')

optional_policy(`
	cron_admin_role(sysadm_r, sysadm_t)
')

optional_policy(`
	consoletype_run(sysadm_t, sysadm_r)
')

optional_policy(`
    daemonstools_run_start(sysadm_t, sysadm_r)
')

optional_policy(`
	dbus_role_template(sysadm, sysadm_r, sysadm_t)
')

optional_policy(`
	dcc_run_cdcc(sysadm_t, sysadm_r)
	dcc_run_client(sysadm_t, sysadm_r)
	dcc_run_dbclean(sysadm_t, sysadm_r)
')

optional_policy(`
	ddcprobe_run(sysadm_t, sysadm_r)
')

optional_policy(`
	devicekit_filetrans_named_content(sysadm_t)
')

optional_policy(`
	dmesg_exec(sysadm_t)
')

optional_policy(`
	dmidecode_run(sysadm_t, sysadm_r)
')

optional_policy(`
	dpkg_run(sysadm_t, sysadm_r)
')

optional_policy(`
	firstboot_run(sysadm_t, sysadm_r)
')

optional_policy(`
	fstools_run(sysadm_t, sysadm_r)
')

optional_policy(`
	hostname_run(sysadm_t, sysadm_r)
')

optional_policy(`
	hadoop_role(sysadm_r, sysadm_t)
')

optional_policy(`
	# allow system administrator to use the ipsec script to look
	# at things (e.g., ipsec auto --status)
	# probably should create an ipsec_admin role for this kind of thing
	ipsec_exec_mgmt(sysadm_t)
	ipsec_stream_connect(sysadm_t)
	# for lsof
	ipsec_getattr_key_sockets(sysadm_t)
	ipsec_run_setkey(sysadm_t, sysadm_r)
	ipsec_run_racoon(sysadm_t, sysadm_r)
	ipsec_stream_connect_racoon(sysadm_t)

	optional_policy(`
		ipsec_mgmt_dbus_chat(sysadm_t)
	')
')

optional_policy(`
	iptables_run(sysadm_t, sysadm_r)
')

optional_policy(`
	irc_role(sysadm_r, sysadm_t)
')

optional_policy(`
	kerberos_exec_kadmind(sysadm_t)
	kerberos_filetrans_named_content(sysadm_t)
')

optional_policy(`
	kudzu_run(sysadm_t, sysadm_r)
')

optional_policy(`
	libs_run_ldconfig(sysadm_t, sysadm_r)
')

optional_policy(`
	logrotate_run(sysadm_t, sysadm_r)
')

optional_policy(`
	lpd_run_checkpc(sysadm_t, sysadm_r)
	lpd_role(sysadm_r, sysadm_t)
')

optional_policy(`
	lvm_run(sysadm_t, sysadm_r)
')

optional_policy(`
	modutils_run_depmod(sysadm_t, sysadm_r)
	modutils_run_insmod(sysadm_t, sysadm_r)
	modutils_run_update_mods(sysadm_t, sysadm_r)
	modutils_read_module_deps(sysadm_t)
	modules_filetrans_named_content(sysadm_t)
')

optional_policy(`
	mount_run(sysadm_t, sysadm_r)
	mount_run_showmount(sysadm_t, sysadm_r)
')

optional_policy(`
	mta_role(sysadm_r, sysadm_t)
	# this is defined in userdom_common_user_template
	#mta_filetrans_home_content(sysadm_t)
	mta_filetrans_admin_home_content(sysadm_t)
')

optional_policy(`
	munin_stream_connect(sysadm_t)
')

optional_policy(`
	mysql_stream_connect(sysadm_t)
')

optional_policy(`
	ncftool_run(sysadm_t, sysadm_r)
')

optional_policy(`
	netutils_run(sysadm_t, sysadm_r)
	netutils_run_ping(sysadm_t, sysadm_r)
	netutils_run_traceroute(sysadm_t, sysadm_r)
')

optional_policy(`
	networkmanager_filetrans_named_content(sysadm_t)
')

optional_policy(`
	ntp_stub()
	corenet_udp_bind_ntp_port(sysadm_t)
')

optional_policy(`
	nx_filetrans_named_content(sysadm_t)
')

optional_policy(`
	oav_run_update(sysadm_t, sysadm_r)
')

optional_policy(`
	openvpn_run(sysadm_t, sysadm_r)
')

optional_policy(`
	pcmcia_run_cardctl(sysadm_t, sysadm_r)
')

optional_policy(`
	polipo_role(sysadm_r, sysadm_t)
	polipo_named_filetrans_admin_cache_home_dirs(sysadm_t)
	polipo_named_filetrans_admin_config_home_files(sysadm_t)
')

optional_policy(`
	portage_run(sysadm_t, sysadm_r)
	portage_run_gcc_config(sysadm_t, sysadm_r)
')

optional_policy(`
	portmap_run_helper(sysadm_t, sysadm_r)
')

optional_policy(`
	postfix_filetrans_named_content(sysadm_t)
')

optional_policy(`
	prelink_run(sysadm_t, sysadm_r)
')

optional_policy(`
	puppet_run_puppetca(sysadm_t, sysadm_r)
')

optional_policy(`
	quota_run(sysadm_t, sysadm_r)
')

optional_policy(`
	raid_domtrans_mdadm(sysadm_t)
')

optional_policy(`
	rpc_domtrans_nfsd(sysadm_t)
')

optional_policy(`
	rpm_run(sysadm_t, sysadm_r)
	rpm_dbus_chat(sysadm_t, sysadm_r)
')

optional_policy(`
	rsync_exec(sysadm_t)
')

optional_policy(`
	samba_run_net(sysadm_t, sysadm_r)
	samba_run_winbind_helper(sysadm_t, sysadm_r)
')

optional_policy(`
	samhain_admin(sysadm_t)
')

optional_policy(`
	screen_role_template(sysadm, sysadm_r, sysadm_t)
')

optional_policy(`
	secadm_role_change(sysadm_r)
')

optional_policy(`
	setroubleshoot_stream_connect(sysadm_t)
	setroubleshoot_dbus_chat(sysadm_t)
	setroubleshoot_dbus_chat_fixit(sysadm_t)
')

optional_policy(`
	seutil_run_setfiles(sysadm_t, sysadm_r)
	seutil_run_runinit(sysadm_t, sysadm_r)
')

optional_policy(`
	shutdown_run(sysadm_t, sysadm_r)
')

optional_policy(`
	ssh_role_template(sysadm, sysadm_r, sysadm_t)
')

optional_policy(`
	staff_role_change(sysadm_r)
')

optional_policy(`
	su_role_template(sysadm, sysadm_r, sysadm_t)
')

optional_policy(`
	sudo_role_template(sysadm, sysadm_r, sysadm_t)
')

optional_policy(`
	sysnet_run_ifconfig(sysadm_t, sysadm_r)
	sysnet_run_dhcpc(sysadm_t, sysadm_r)
')

optional_policy(`
	systemd_passwd_agent_run(sysadm_t, sysadm_r)
	systemd_config_all_services(sysadm_t)
	systemd_manage_all_unit_files(sysadm_t)
	systemd_manage_all_unit_lnk_files(sysadm_t)
')

optional_policy(`
	tripwire_run_siggen(sysadm_t, sysadm_r)
	tripwire_run_tripwire(sysadm_t, sysadm_r)
	tripwire_run_twadmin(sysadm_t, sysadm_r)
	tripwire_run_twprint(sysadm_t, sysadm_r)
')

optional_policy(`
	tzdata_domtrans(sysadm_t)
')

optional_policy(`
	unconfined_domtrans(sysadm_t)
')

optional_policy(`
	udev_run(sysadm_t, sysadm_r)
')

optional_policy(`
	unprivuser_role_change(sysadm_r)
')

optional_policy(`
	usbmodules_run(sysadm_t, sysadm_r)
')

optional_policy(`
	usermanage_run_admin_passwd(sysadm_t, sysadm_r)
	usermanage_run_groupadd(sysadm_t, sysadm_r)
	usermanage_run_useradd(sysadm_t, sysadm_r)
')

optional_policy(`
	virt_stream_connect(sysadm_t)
	virt_filetrans_home_content(sysadm_t)
')

optional_policy(`
	vlock_run(sysadm_t, sysadm_r)
')

optional_policy(`
	vpn_run(sysadm_t, sysadm_r)
')

optional_policy(`
	webalizer_run(sysadm_t, sysadm_r)
')

optional_policy(`
	xserver_role(sysadm_r, sysadm_t)
')

optional_policy(`
	yam_run(sysadm_t, sysadm_r)
')

optional_policy(`
	zebra_stream_connect(sysadm_t)
')

ifndef(`distro_redhat',`
	optional_policy(`
		apache_role(sysadm_r, sysadm_t)
	')
	optional_policy(`
		auth_role(sysadm_r, sysadm_t)
	')

	optional_policy(`
		bluetooth_role(sysadm_r, sysadm_t)
	')

	optional_policy(`
		cdrecord_role(sysadm_r, sysadm_t)
	')

	optional_policy(`
		dbus_role_template(sysadm, sysadm_r, sysadm_t)
	')

	optional_policy(`
		evolution_role(sysadm_r, sysadm_t)
	')

	optional_policy(`
		games_role(sysadm_r, sysadm_t)
	')

	optional_policy(`
		gift_role(sysadm_r, sysadm_t)
	')

	optional_policy(`
		gnome_role(sysadm_r, sysadm_t)
		gnome_filetrans_admin_home_content(sysadm_t)
	')

	optional_policy(`
		gpg_role(sysadm_r, sysadm_t)
	')

	optional_policy(`
		java_role(sysadm_r, sysadm_t)
	')

	optional_policy(`
		lockdev_role(sysadm_r, sysadm_t)
	')

	optional_policy(`
		mock_admin(sysadm_t)
	')

	optional_policy(`
		mozilla_role(sysadm_r, sysadm_t)
	')

	optional_policy(`
		mplayer_role(sysadm_r, sysadm_t)
	')

	optional_policy(`
		pyzor_role(sysadm_r, sysadm_t)
	')

	optional_policy(`
		razor_role(sysadm_r, sysadm_t)
	')

	optional_policy(`
		rssh_role(sysadm_r, sysadm_t)
	')

	optional_policy(`
		spamassassin_role(sysadm_r, sysadm_t)
	')

	optional_policy(`
		thunderbird_role(sysadm_r, sysadm_t)
	')

	optional_policy(`
		tvtime_role(sysadm_r, sysadm_t)
	')

	optional_policy(`
		uml_role(sysadm_r, sysadm_t)
	')

	optional_policy(`
		userhelper_role_template(sysadm, sysadm_r, sysadm_t)
	')

	optional_policy(`
		vmware_role(sysadm_r, sysadm_t)
	')

	optional_policy(`
		wireshark_role(sysadm_r, sysadm_t)
	')

	optional_policy(`
		xserver_role(sysadm_r, sysadm_t)
	')
')
Commit	Line	Data
d5048bc7	1	policy_module(sysadm, 2.2.1)
e9c6cda7 CP	2
	3	########################################
	4	#
	5	# Declarations
	6	#
	7
	8	## <desc>
	9	## <p>
	10	## Allow sysadm to debug or ptrace all processes.
	11	## </p>
	12	## </desc>
0bfccda4	13	gen_tunable(allow_ptrace, false)
e9c6cda7 CP	14
	15	role sysadm_r;
	16
	17	userdom_admin_user_template(sysadm)
	18
	19	ifndef(`enable_mls',`
296273a7	20	userdom_security_admin_template(sysadm_t, sysadm_r)
e9c6cda7 CP	21	')
	22
	23	########################################
	24	#
	25	# Local policy
	26	#
2968e068	27	kernel_read_fs_sysctls(sysadm_t)
e9c6cda7 CP	28
	29	corecmd_exec_shell(sysadm_t)
	30
3eaa9939 DW	31	domain_dontaudit_read_all_domains_state(sysadm_t)
3eaa9939 DW	32
2968e068 DW	33	files_read_kernel_modules(sysadm_t)
2968e068 DW	34
65f784aa DW	35	dev_filetrans_all_named_dev(sysadm_t)
	36	storage_filetrans_all_named_dev(sysadm_t)
	37	term_filetrans_all_named_dev(sysadm_t)
72eaebd0	38
e9c6cda7	39	mls_process_read_up(sysadm_t)
3eaa9939 DW	40	mls_file_read_to_clearance(sysadm_t)
3eaa9939 DW	41	mls_process_write_to_clearance(sysadm_t)
e9c6cda7	42
77b776ea DW	43	storage_setattr_fixed_disk_dev(sysadm_t)
77b776ea DW	44
296273a7 CP	45	ubac_process_exempt(sysadm_t)
	46	ubac_file_exempt(sysadm_t)
	47	ubac_fd_exempt(sysadm_t)
	48
3eaa9939 DW	49	application_exec(sysadm_t)
3eaa9939 DW	50
e9c6cda7	51	init_exec(sysadm_t)
3eaa9939 DW	52	init_exec_script_files(sysadm_t)
3eaa9939 DW	53	init_dbus_chat(sysadm_t)
2968e068 DW	54	init_script_role_transition(sysadm_r)
2968e068 DW	55
91a6f708	56	miscfiles_filetrans_named_content(sysadm_t)
2968e068	57	miscfiles_read_hwdata(sysadm_t)
e9c6cda7	58
9c7e72de	59	sysnet_filetrans_named_content(sysadm_t)
72eaebd0	60
296273a7 CP	61	# Add/remove user home directories
	62	userdom_manage_user_home_dirs(sysadm_t)
	63	userdom_home_filetrans_user_home_dir(sysadm_t)
2010eb96	64	userdom_manage_tmp_role(sysadm_r, sysadm_t)
e9c6cda7	65
76d53813	66	optional_policy(`
5b3ec473	67	alsa_filetrans_named_content(sysadm_t)
76d53813 DW	68	')
76d53813 DW	69
72eaebd0	70	optional_policy(`
a11cc065	71	ssh_filetrans_admin_home_content(sysadm_t)
72eaebd0 DW	72	')
72eaebd0 DW	73
e9c6cda7 CP	74	ifdef(`direct_sysadm_daemon',`
e9c6cda7 CP	75	optional_policy(`
296273a7	76	init_run_daemon(sysadm_t, sysadm_r)
e9c6cda7 CP	77	')
	78	',`
	79	ifdef(`distro_gentoo',`
	80	optional_policy(`
296273a7	81	seutil_init_script_run_runinit(sysadm_t, sysadm_r)
e9c6cda7 CP	82	')
	83	')
	84	')
	85
	86	ifndef(`enable_mls',`
	87	logging_manage_audit_log(sysadm_t)
	88	logging_manage_audit_config(sysadm_t)
296273a7	89	logging_run_auditctl(sysadm_t, sysadm_r)
3eaa9939	90	logging_stream_connect_syslog(sysadm_t)
e9c6cda7 CP	91	')
	92
	93	tunable_policy(`allow_ptrace',`
	94	domain_ptrace_all_domains(sysadm_t)
	95	')
	96
	97	optional_policy(`
296273a7	98	amanda_run_recover(sysadm_t, sysadm_r)
e9c6cda7 CP	99	')
	100
	101	optional_policy(`
296273a7	102	apache_run_helper(sysadm_t, sysadm_r)
3ad2a285	103	apache_filetrans_home_content(sysadm_t)
e9c6cda7 CP	104	#apache_run_all_scripts(sysadm_t, sysadm_r)
	105	#apache_domtrans_sys_script(sysadm_t)
	106	')
	107
	108	optional_policy(`
	109	# cjp: why is this not apm_run_client
	110	apm_domtrans_client(sysadm_t)
	111	')
	112
	113	optional_policy(`
296273a7 CP	114	apt_run(sysadm_t, sysadm_r)
	115	')
	116
	117	optional_policy(`
	118	auditadm_role_change(sysadm_r)
	119	')
	120
296273a7 CP	121	optional_policy(`
296273a7 CP	122	backup_run(sysadm_t, sysadm_r)
e9c6cda7 CP	123	')
	124
	125	optional_policy(`
296273a7	126	bind_run_ndc(sysadm_t, sysadm_r)
e9c6cda7 CP	127	')
e9c6cda7 CP	128
e9c6cda7	129	optional_policy(`
296273a7	130	bootloader_run(sysadm_t, sysadm_r)
e9c6cda7 CP	131	')
e9c6cda7 CP	132
3eaa9939 DW	133	optional_policy(`
	134	certmonger_dbus_chat(sysadm_t)
	135	')
	136
e9c6cda7	137	optional_policy(`
296273a7	138	certwatch_run(sysadm_t, sysadm_r)
e9c6cda7 CP	139	')
	140
	141	optional_policy(`
296273a7	142	clock_run(sysadm_t, sysadm_r)
e9c6cda7 CP	143	')
	144
	145	optional_policy(`
296273a7	146	clockspeed_run_cli(sysadm_t, sysadm_r)
e9c6cda7 CP	147	')
e9c6cda7 CP	148
0351e043 DW	149	optional_policy(`
	150	cron_admin_role(sysadm_r, sysadm_t)
	151	')
	152
e9c6cda7	153	optional_policy(`
296273a7	154	consoletype_run(sysadm_t, sysadm_r)
e9c6cda7 CP	155	')
e9c6cda7 CP	156
3eaa9939 DW	157	optional_policy(`
3eaa9939 DW	158	daemonstools_run_start(sysadm_t, sysadm_r)
e9c6cda7 CP	159	')
e9c6cda7 CP	160
4ec3fa73 DW	161	optional_policy(`
	162	dbus_role_template(sysadm, sysadm_r, sysadm_t)
	163	')
	164
e9c6cda7	165	optional_policy(`
296273a7 CP	166	dcc_run_cdcc(sysadm_t, sysadm_r)
	167	dcc_run_client(sysadm_t, sysadm_r)
	168	dcc_run_dbclean(sysadm_t, sysadm_r)
	169	')
	170
4ad28653	171	optional_policy(`
4ec3fa73	172	ddcprobe_run(sysadm_t, sysadm_r)
4ad28653 DW	173	')
4ad28653 DW	174
296273a7	175	optional_policy(`
d6091320	176	devicekit_filetrans_named_content(sysadm_t)
e9c6cda7 CP	177	')
	178
	179	optional_policy(`
	180	dmesg_exec(sysadm_t)
	181	')
	182
	183	optional_policy(`
296273a7 CP	184	dmidecode_run(sysadm_t, sysadm_r)
	185	')
	186
	187	optional_policy(`
	188	dpkg_run(sysadm_t, sysadm_r)
e9c6cda7 CP	189	')
e9c6cda7 CP	190
e9c6cda7	191	optional_policy(`
296273a7	192	firstboot_run(sysadm_t, sysadm_r)
e9c6cda7 CP	193	')
	194
	195	optional_policy(`
296273a7	196	fstools_run(sysadm_t, sysadm_r)
e9c6cda7 CP	197	')
e9c6cda7 CP	198
296273a7 CP	199	optional_policy(`
296273a7 CP	200	hostname_run(sysadm_t, sysadm_r)
e9c6cda7 CP	201	')
e9c6cda7 CP	202
bc71a042	203	optional_policy(`
641ac054	204	hadoop_role(sysadm_r, sysadm_t)
bc71a042 PN	205	')
bc71a042 PN	206
e9c6cda7 CP	207	optional_policy(`
	208	# allow system administrator to use the ipsec script to look
	209	# at things (e.g., ipsec auto --status)
	210	# probably should create an ipsec_admin role for this kind of thing
	211	ipsec_exec_mgmt(sysadm_t)
	212	ipsec_stream_connect(sysadm_t)
	213	# for lsof
	214	ipsec_getattr_key_sockets(sysadm_t)
3eaa9939 DW	215	ipsec_run_setkey(sysadm_t, sysadm_r)
	216	ipsec_run_racoon(sysadm_t, sysadm_r)
	217	ipsec_stream_connect_racoon(sysadm_t)
	218
	219	optional_policy(`
	220	ipsec_mgmt_dbus_chat(sysadm_t)
	221	')
e9c6cda7 CP	222	')
	223
	224	optional_policy(`
296273a7 CP	225	iptables_run(sysadm_t, sysadm_r)
	226	')
	227
f8f030aa DG	228	optional_policy(`
	229	irc_role(sysadm_r, sysadm_t)
	230	')
	231
3eaa9939 DW	232	optional_policy(`
3eaa9939 DW	233	kerberos_exec_kadmind(sysadm_t)
d141ac47	234	kerberos_filetrans_named_content(sysadm_t)
3eaa9939 DW	235	')
3eaa9939 DW	236
e9c6cda7	237	optional_policy(`
296273a7	238	kudzu_run(sysadm_t, sysadm_r)
e9c6cda7 CP	239	')
	240
	241	optional_policy(`
296273a7	242	libs_run_ldconfig(sysadm_t, sysadm_r)
e9c6cda7 CP	243	')
e9c6cda7 CP	244
e9c6cda7	245	optional_policy(`
296273a7	246	logrotate_run(sysadm_t, sysadm_r)
e9c6cda7 CP	247	')
	248
	249	optional_policy(`
296273a7 CP	250	lpd_run_checkpc(sysadm_t, sysadm_r)
296273a7 CP	251	lpd_role(sysadm_r, sysadm_t)
e9c6cda7 CP	252	')
	253
	254	optional_policy(`
296273a7	255	lvm_run(sysadm_t, sysadm_r)
e9c6cda7 CP	256	')
	257
	258	optional_policy(`
296273a7 CP	259	modutils_run_depmod(sysadm_t, sysadm_r)
	260	modutils_run_insmod(sysadm_t, sysadm_r)
	261	modutils_run_update_mods(sysadm_t, sysadm_r)
2371d8d8	262	modutils_read_module_deps(sysadm_t)
c66c51f7	263	modules_filetrans_named_content(sysadm_t)
e9c6cda7 CP	264	')
	265
	266	optional_policy(`
296273a7	267	mount_run(sysadm_t, sysadm_r)
3eaa9939	268	mount_run_showmount(sysadm_t, sysadm_r)
296273a7 CP	269	')
296273a7 CP	270
296273a7 CP	271	optional_policy(`
296273a7 CP	272	mta_role(sysadm_r, sysadm_t)
7c702088 MG	273	# this is defined in userdom_common_user_template
7c702088 MG	274	#mta_filetrans_home_content(sysadm_t)
780198a1	275	mta_filetrans_admin_home_content(sysadm_t)
e9c6cda7 CP	276	')
	277
	278	optional_policy(`
	279	munin_stream_connect(sysadm_t)
	280	')
	281
	282	optional_policy(`
	283	mysql_stream_connect(sysadm_t)
	284	')
	285
3eaa9939 DW	286	optional_policy(`
	287	ncftool_run(sysadm_t, sysadm_r)
	288	')
	289
e9c6cda7	290	optional_policy(`
296273a7 CP	291	netutils_run(sysadm_t, sysadm_r)
	292	netutils_run_ping(sysadm_t, sysadm_r)
	293	netutils_run_traceroute(sysadm_t, sysadm_r)
e9c6cda7 CP	294	')
e9c6cda7 CP	295
0ddcd8f6 DW	296	optional_policy(`
	297	networkmanager_filetrans_named_content(sysadm_t)
	298	')
	299
e9c6cda7 CP	300	optional_policy(`
	301	ntp_stub()
	302	corenet_udp_bind_ntp_port(sysadm_t)
	303	')
	304
e4b8dbb3	305	optional_policy(`
7e67b9c9	306	nx_filetrans_named_content(sysadm_t)
e4b8dbb3 DW	307	')
e4b8dbb3 DW	308
e9c6cda7	309	optional_policy(`
296273a7 CP	310	oav_run_update(sysadm_t, sysadm_r)
	311	')
	312
87f49770 MG	313	optional_policy(`
	314	openvpn_run(sysadm_t, sysadm_r)
	315	')
	316
296273a7 CP	317	optional_policy(`
296273a7 CP	318	pcmcia_run_cardctl(sysadm_t, sysadm_r)
e9c6cda7 CP	319	')
e9c6cda7 CP	320
f1b7d092 DG	321	optional_policy(`
	322	polipo_role(sysadm_r, sysadm_t)
	323	polipo_named_filetrans_admin_cache_home_dirs(sysadm_t)
	324	polipo_named_filetrans_admin_config_home_files(sysadm_t)
	325	')
	326
e9c6cda7	327	optional_policy(`
296273a7 CP	328	portage_run(sysadm_t, sysadm_r)
296273a7 CP	329	portage_run_gcc_config(sysadm_t, sysadm_r)
e9c6cda7 CP	330	')
	331
	332	optional_policy(`
296273a7	333	portmap_run_helper(sysadm_t, sysadm_r)
e9c6cda7 CP	334	')
e9c6cda7 CP	335
7dd47a9a DW	336	optional_policy(`
	337	postfix_filetrans_named_content(sysadm_t)
	338	')
	339
3eaa9939 DW	340	optional_policy(`
	341	prelink_run(sysadm_t, sysadm_r)
	342	')
	343
51b8b4c0 DW	344	optional_policy(`
	345	puppet_run_puppetca(sysadm_t, sysadm_r)
	346	')
	347
e9c6cda7	348	optional_policy(`
296273a7	349	quota_run(sysadm_t, sysadm_r)
e9c6cda7 CP	350	')
	351
	352	optional_policy(`
	353	raid_domtrans_mdadm(sysadm_t)
	354	')
	355
	356	optional_policy(`
	357	rpc_domtrans_nfsd(sysadm_t)
	358	')
	359
	360	optional_policy(`
296273a7	361	rpm_run(sysadm_t, sysadm_r)
4e889ea1	362	rpm_dbus_chat(sysadm_t, sysadm_r)
296273a7 CP	363	')
296273a7 CP	364
e9c6cda7 CP	365	optional_policy(`
	366	rsync_exec(sysadm_t)
	367	')
	368
	369	optional_policy(`
296273a7 CP	370	samba_run_net(sysadm_t, sysadm_r)
296273a7 CP	371	samba_run_winbind_helper(sysadm_t, sysadm_r)
e9c6cda7 CP	372	')
e9c6cda7 CP	373
b2f8897d HC	374	optional_policy(`
	375	samhain_admin(sysadm_t)
	376	')
	377
e9c6cda7	378	optional_policy(`
296273a7	379	screen_role_template(sysadm, sysadm_r, sysadm_t)
e9c6cda7 CP	380	')
	381
	382	optional_policy(`
296273a7	383	secadm_role_change(sysadm_r)
e9c6cda7 CP	384	')
e9c6cda7 CP	385
7c525b65 DW	386	optional_policy(`
	387	setroubleshoot_stream_connect(sysadm_t)
	388	setroubleshoot_dbus_chat(sysadm_t)
	389	setroubleshoot_dbus_chat_fixit(sysadm_t)
	390	')
	391
e9c6cda7	392	optional_policy(`
296273a7 CP	393	seutil_run_setfiles(sysadm_t, sysadm_r)
296273a7 CP	394	seutil_run_runinit(sysadm_t, sysadm_r)
e9c6cda7 CP	395	')
e9c6cda7 CP	396
3eaa9939 DW	397	optional_policy(`
	398	shutdown_run(sysadm_t, sysadm_r)
	399	')
	400
e9c6cda7	401	optional_policy(`
296273a7 CP	402	ssh_role_template(sysadm, sysadm_r, sysadm_t)
	403	')
	404
	405	optional_policy(`
	406	staff_role_change(sysadm_r)
	407	')
	408
	409	optional_policy(`
	410	su_role_template(sysadm, sysadm_r, sysadm_t)
	411	')
	412
	413	optional_policy(`
	414	sudo_role_template(sysadm, sysadm_r, sysadm_t)
	415	')
	416
	417	optional_policy(`
	418	sysnet_run_ifconfig(sysadm_t, sysadm_r)
	419	sysnet_run_dhcpc(sysadm_t, sysadm_r)
	420	')
	421
d7441a41 DW	422	optional_policy(`
d7441a41 DW	423	systemd_passwd_agent_run(sysadm_t, sysadm_r)
faaa4a27 DW	424	systemd_config_all_services(sysadm_t)
	425	systemd_manage_all_unit_files(sysadm_t)
	426	systemd_manage_all_unit_lnk_files(sysadm_t)
d7441a41 DW	427	')
d7441a41 DW	428
296273a7 CP	429	optional_policy(`
	430	tripwire_run_siggen(sysadm_t, sysadm_r)
	431	tripwire_run_tripwire(sysadm_t, sysadm_r)
	432	tripwire_run_twadmin(sysadm_t, sysadm_r)
	433	tripwire_run_twprint(sysadm_t, sysadm_r)
	434	')
	435
e9c6cda7 CP	436	optional_policy(`
	437	tzdata_domtrans(sysadm_t)
	438	')
	439
	440	optional_policy(`
b34db7a8	441	unconfined_domtrans(sysadm_t)
e9c6cda7 CP	442	')
e9c6cda7 CP	443
9427adb7 MG	444	optional_policy(`
	445	udev_run(sysadm_t, sysadm_r)
	446	')
	447
e9c6cda7	448	optional_policy(`
296273a7 CP	449	unprivuser_role_change(sysadm_r)
	450	')
	451
	452	optional_policy(`
	453	usbmodules_run(sysadm_t, sysadm_r)
	454	')
e9c6cda7	455
296273a7 CP	456	optional_policy(`
	457	usermanage_run_admin_passwd(sysadm_t, sysadm_r)
	458	usermanage_run_groupadd(sysadm_t, sysadm_r)
	459	usermanage_run_useradd(sysadm_t, sysadm_r)
	460	')
	461
3eaa9939	462	optional_policy(`
7c525b65 DW	463	virt_stream_connect(sysadm_t)
7c525b65 DW	464	virt_filetrans_home_content(sysadm_t)
e9c6cda7 CP	465	')
	466
	467	optional_policy(`
7c525b65	468	vlock_run(sysadm_t, sysadm_r)
e9c6cda7 CP	469	')
e9c6cda7 CP	470
3eaa9939	471	optional_policy(`
7c525b65	472	vpn_run(sysadm_t, sysadm_r)
3eaa9939 DW	473	')
3eaa9939 DW	474
d35e2ee0	475	optional_policy(`
7c525b65	476	webalizer_run(sysadm_t, sysadm_r)
d35e2ee0 HC	477	')
d35e2ee0 HC	478
e9c6cda7	479	optional_policy(`
296273a7	480	xserver_role(sysadm_r, sysadm_t)
e9c6cda7 CP	481	')
	482
	483	optional_policy(`
296273a7	484	yam_run(sysadm_t, sysadm_r)
e9c6cda7	485	')
c87e1502	486
3eaa9939 DW	487	optional_policy(`
3eaa9939 DW	488	zebra_stream_connect(sysadm_t)
c87e1502 JS	489	')
c87e1502 JS	490
2968e068 DW	491	ifndef(`distro_redhat',`
	492	optional_policy(`
	493	apache_role(sysadm_r, sysadm_t)
	494	')
	495	optional_policy(`
	496	auth_role(sysadm_r, sysadm_t)
	497	')
3eaa9939	498
2968e068 DW	499	optional_policy(`
	500	bluetooth_role(sysadm_r, sysadm_t)
	501	')
	502
	503	optional_policy(`
	504	cdrecord_role(sysadm_r, sysadm_t)
	505	')
	506
2968e068 DW	507	optional_policy(`
	508	dbus_role_template(sysadm, sysadm_r, sysadm_t)
	509	')
	510
	511	optional_policy(`
	512	evolution_role(sysadm_r, sysadm_t)
	513	')
	514
	515	optional_policy(`
	516	games_role(sysadm_r, sysadm_t)
	517	')
	518
	519	optional_policy(`
	520	gift_role(sysadm_r, sysadm_t)
	521	')
	522
	523	optional_policy(`
	524	gnome_role(sysadm_r, sysadm_t)
a11cc065	525	gnome_filetrans_admin_home_content(sysadm_t)
2968e068 DW	526	')
	527
	528	optional_policy(`
	529	gpg_role(sysadm_r, sysadm_t)
	530	')
	531
2968e068 DW	532	optional_policy(`
	533	java_role(sysadm_r, sysadm_t)
	534	')
	535
	536	optional_policy(`
	537	lockdev_role(sysadm_r, sysadm_t)
	538	')
	539
dd323694 DW	540	optional_policy(`
	541	mock_admin(sysadm_t)
	542	')
	543
2968e068 DW	544	optional_policy(`
	545	mozilla_role(sysadm_r, sysadm_t)
	546	')
	547
	548	optional_policy(`
	549	mplayer_role(sysadm_r, sysadm_t)
	550	')
	551
	552	optional_policy(`
	553	pyzor_role(sysadm_r, sysadm_t)
	554	')
	555
	556	optional_policy(`
	557	razor_role(sysadm_r, sysadm_t)
	558	')
	559
	560	optional_policy(`
	561	rssh_role(sysadm_r, sysadm_t)
	562	')
	563
	564	optional_policy(`
	565	spamassassin_role(sysadm_r, sysadm_t)
	566	')
	567
	568	optional_policy(`
	569	thunderbird_role(sysadm_r, sysadm_t)
	570	')
	571
	572	optional_policy(`
	573	tvtime_role(sysadm_r, sysadm_t)
	574	')
	575
	576	optional_policy(`
	577	uml_role(sysadm_r, sysadm_t)
	578	')
	579
	580	optional_policy(`
	581	userhelper_role_template(sysadm, sysadm_r, sysadm_t)
	582	')
	583
	584	optional_policy(`
	585	vmware_role(sysadm_r, sysadm_t)
	586	')
	587
	588	optional_policy(`
	589	wireshark_role(sysadm_r, sysadm_t)
	590	')
	591
	592	optional_policy(`
	593	xserver_role(sysadm_r, sysadm_t)
	594	')
	595	')