[people/stevee/selinux-policy.git] / policy / modules / roles / sysadm.te

policy_module(sysadm, 2.2.1)

########################################
#
# Declarations
#

## <desc>
## <p>
## Allow sysadm to debug or ptrace all processes.
## </p>
## </desc>
gen_tunable(allow_ptrace, false)

role sysadm_r;

userdom_admin_user_template(sysadm)

ifndef(`enable_mls',`
	userdom_security_admin_template(sysadm_t, sysadm_r)
')

########################################
#
# Local policy
#
kernel_read_fs_sysctls(sysadm_t)

corecmd_exec_shell(sysadm_t)

domain_dontaudit_read_all_domains_state(sysadm_t)

files_read_kernel_modules(sysadm_t)

dev_filetrans_all_named_dev(sysadm_t)
storage_filetrans_all_named_dev(sysadm_t)
term_filetrans_all_named_dev(sysadm_t)

mls_process_read_up(sysadm_t)
mls_file_read_to_clearance(sysadm_t)
mls_process_write_to_clearance(sysadm_t)

storage_setattr_fixed_disk_dev(sysadm_t)

ubac_process_exempt(sysadm_t)
ubac_file_exempt(sysadm_t)
ubac_fd_exempt(sysadm_t)

application_exec(sysadm_t)

init_exec(sysadm_t)
init_exec_script_files(sysadm_t)
init_dbus_chat(sysadm_t)
init_script_role_transition(sysadm_r)

miscfiles_read_hwdata(sysadm_t)

sysnet_filetrans_named_content(sysadm_t)

# Add/remove user home directories
userdom_manage_user_home_dirs(sysadm_t)
userdom_home_filetrans_user_home_dir(sysadm_t)
userdom_manage_user_tmp_dirs(sysadm_t)
userdom_manage_user_tmp_files(sysadm_t)
userdom_manage_user_tmp_symlinks(sysadm_t)
userdom_manage_user_tmp_chr_files(sysadm_t)
userdom_manage_user_tmp_blk_files(sysadm_t)

optional_policy(`
	ssh_filetrans_admin_home_content(sysadm_t)
')

ifdef(`direct_sysadm_daemon',`
	optional_policy(`
		init_run_daemon(sysadm_t, sysadm_r)
	')
',`
	ifdef(`distro_gentoo',`
		optional_policy(`
			seutil_init_script_run_runinit(sysadm_t, sysadm_r)
		')
	')
')

ifndef(`enable_mls',`
	logging_manage_audit_log(sysadm_t)
	logging_manage_audit_config(sysadm_t)
	logging_run_auditctl(sysadm_t, sysadm_r)
	logging_stream_connect_syslog(sysadm_t)
')

tunable_policy(`allow_ptrace',`
	domain_ptrace_all_domains(sysadm_t)
')

optional_policy(`
	amanda_run_recover(sysadm_t, sysadm_r)
')

optional_policy(`
	apache_run_helper(sysadm_t, sysadm_r)
	apache_filetrans_home_content(sysadm_t)
	#apache_run_all_scripts(sysadm_t, sysadm_r)
	#apache_domtrans_sys_script(sysadm_t)
')

optional_policy(`
	# cjp: why is this not apm_run_client
	apm_domtrans_client(sysadm_t)
')

optional_policy(`
	apt_run(sysadm_t, sysadm_r)
')

optional_policy(`
	auditadm_role_change(sysadm_r)
')

optional_policy(`
	backup_run(sysadm_t, sysadm_r)
')

optional_policy(`
	bind_run_ndc(sysadm_t, sysadm_r)
')

optional_policy(`
	bootloader_run(sysadm_t, sysadm_r)
')

optional_policy(`
	certmonger_dbus_chat(sysadm_t)
')

optional_policy(`
	certwatch_run(sysadm_t, sysadm_r)
')

optional_policy(`
	clock_run(sysadm_t, sysadm_r)
')

optional_policy(`
	clockspeed_run_cli(sysadm_t, sysadm_r)
')

optional_policy(`
	cron_admin_role(sysadm_r, sysadm_t)
')

optional_policy(`
	consoletype_run(sysadm_t, sysadm_r)
')

optional_policy(`
    daemonstools_run_start(sysadm_t, sysadm_r)
')

optional_policy(`
	dcc_run_cdcc(sysadm_t, sysadm_r)
	dcc_run_client(sysadm_t, sysadm_r)
	dcc_run_dbclean(sysadm_t, sysadm_r)
')

optional_policy(`
	dbus_role_template(sysadm, sysadm_r, sysadm_t)
')

optional_policy(`
	ddcprobe_run(sysadm_t, sysadm_r)
')

optional_policy(`
	dmesg_exec(sysadm_t)
')

optional_policy(`
	dmidecode_run(sysadm_t, sysadm_r)
')

optional_policy(`
	dpkg_run(sysadm_t, sysadm_r)
')

optional_policy(`
	firstboot_run(sysadm_t, sysadm_r)
')

optional_policy(`
	fstools_run(sysadm_t, sysadm_r)
')

optional_policy(`
	hostname_run(sysadm_t, sysadm_r)
')

optional_policy(`
	hadoop_role(sysadm_r, sysadm_t)
')

optional_policy(`
	# allow system administrator to use the ipsec script to look
	# at things (e.g., ipsec auto --status)
	# probably should create an ipsec_admin role for this kind of thing
	ipsec_exec_mgmt(sysadm_t)
	ipsec_stream_connect(sysadm_t)
	# for lsof
	ipsec_getattr_key_sockets(sysadm_t)
	ipsec_run_setkey(sysadm_t, sysadm_r)
	ipsec_run_racoon(sysadm_t, sysadm_r)
	ipsec_stream_connect_racoon(sysadm_t)

	optional_policy(`
		ipsec_mgmt_dbus_chat(sysadm_t)
	')
')

optional_policy(`
	iptables_run(sysadm_t, sysadm_r)
')

optional_policy(`
	irc_role(sysadm_r, sysadm_t)
')

optional_policy(`
	kerberos_exec_kadmind(sysadm_t)
	kerberos_filetrans_named_content(sysadm_t)
')

optional_policy(`
	kudzu_run(sysadm_t, sysadm_r)
')

optional_policy(`
	libs_run_ldconfig(sysadm_t, sysadm_r)
')

optional_policy(`
	logrotate_run(sysadm_t, sysadm_r)
')

optional_policy(`
	lpd_run_checkpc(sysadm_t, sysadm_r)
	lpd_role(sysadm_r, sysadm_t)
')

optional_policy(`
	lvm_run(sysadm_t, sysadm_r)
')

optional_policy(`
	modutils_run_depmod(sysadm_t, sysadm_r)
	modutils_run_insmod(sysadm_t, sysadm_r)
	modutils_run_update_mods(sysadm_t, sysadm_r)
	modutils_read_module_deps(sysadm_t)
')

optional_policy(`
	mount_run(sysadm_t, sysadm_r)
	mount_run_showmount(sysadm_t, sysadm_r)
')

optional_policy(`
	mta_role(sysadm_r, sysadm_t)
	# this is defined in userdom_common_user_template
	#mta_filetrans_home_content(sysadm_t)
	mta_filetrans_admin_home_content(sysadm_t)
')

optional_policy(`
	munin_stream_connect(sysadm_t)
')

optional_policy(`
	mysql_stream_connect(sysadm_t)
')

optional_policy(`
	ncftool_run(sysadm_t, sysadm_r)
')

optional_policy(`
	netutils_run(sysadm_t, sysadm_r)
	netutils_run_ping(sysadm_t, sysadm_r)
	netutils_run_traceroute(sysadm_t, sysadm_r)
')

optional_policy(`
	networkmanager_filetrans_named_content(sysadm_t)
')

optional_policy(`
	ntp_stub()
	corenet_udp_bind_ntp_port(sysadm_t)
')

optional_policy(`
	nx_filetrans_named_content(sysadm_t)
')

optional_policy(`
	oav_run_update(sysadm_t, sysadm_r)
')

optional_policy(`
	openvpn_run(sysadm_t, sysadm_r)
')

optional_policy(`
	pcmcia_run_cardctl(sysadm_t, sysadm_r)
')

optional_policy(`
	polipo_role(sysadm_r, sysadm_t)
	polipo_named_filetrans_admin_cache_home_dirs(sysadm_t)
	polipo_named_filetrans_admin_config_home_files(sysadm_t)
')

optional_policy(`
	portage_run(sysadm_t, sysadm_r)
	portage_run_gcc_config(sysadm_t, sysadm_r)
')

optional_policy(`
	portmap_run_helper(sysadm_t, sysadm_r)
')

optional_policy(`
	prelink_run(sysadm_t, sysadm_r)
')

optional_policy(`
	puppet_run_puppetca(sysadm_t, sysadm_r)
')

optional_policy(`
	quota_run(sysadm_t, sysadm_r)
')

optional_policy(`
	raid_domtrans_mdadm(sysadm_t)
')

optional_policy(`
	rpc_domtrans_nfsd(sysadm_t)
')

optional_policy(`
	rpm_run(sysadm_t, sysadm_r)
	rpm_dbus_chat(sysadm_t, sysadm_r)
')

optional_policy(`
	rsync_exec(sysadm_t)
')

optional_policy(`
	samba_run_net(sysadm_t, sysadm_r)
	samba_run_winbind_helper(sysadm_t, sysadm_r)
')

optional_policy(`
	samhain_admin(sysadm_t)
')

optional_policy(`
	screen_role_template(sysadm, sysadm_r, sysadm_t)
')

optional_policy(`
	secadm_role_change(sysadm_r)
')

optional_policy(`
	setroubleshoot_stream_connect(sysadm_t)
	setroubleshoot_dbus_chat(sysadm_t)
	setroubleshoot_dbus_chat_fixit(sysadm_t)
')

optional_policy(`
	seutil_run_setfiles(sysadm_t, sysadm_r)
	seutil_run_runinit(sysadm_t, sysadm_r)
')

optional_policy(`
	shutdown_run(sysadm_t, sysadm_r)
')

optional_policy(`
	ssh_role_template(sysadm, sysadm_r, sysadm_t)
')

optional_policy(`
	staff_role_change(sysadm_r)
')

optional_policy(`
	su_role_template(sysadm, sysadm_r, sysadm_t)
')

optional_policy(`
	sudo_role_template(sysadm, sysadm_r, sysadm_t)
')

optional_policy(`
	sysnet_run_ifconfig(sysadm_t, sysadm_r)
	sysnet_run_dhcpc(sysadm_t, sysadm_r)
')

optional_policy(`
	systemd_passwd_agent_run(sysadm_t, sysadm_r)
	systemd_config_all_services(sysadm_t)
	systemd_manage_all_unit_files(sysadm_t)
	systemd_manage_all_unit_lnk_files(sysadm_t)
')

optional_policy(`
	tripwire_run_siggen(sysadm_t, sysadm_r)
	tripwire_run_tripwire(sysadm_t, sysadm_r)
	tripwire_run_twadmin(sysadm_t, sysadm_r)
	tripwire_run_twprint(sysadm_t, sysadm_r)
')

optional_policy(`
	tzdata_domtrans(sysadm_t)
')

optional_policy(`
	unconfined_domtrans(sysadm_t)
')

optional_policy(`
	udev_run(sysadm_t, sysadm_r)
')

optional_policy(`
	unprivuser_role_change(sysadm_r)
')

optional_policy(`
	usbmodules_run(sysadm_t, sysadm_r)
')

optional_policy(`
	usermanage_run_admin_passwd(sysadm_t, sysadm_r)
	usermanage_run_groupadd(sysadm_t, sysadm_r)
	usermanage_run_useradd(sysadm_t, sysadm_r)
')

optional_policy(`
	virt_stream_connect(sysadm_t)
	virt_filetrans_home_content(sysadm_t)
')

optional_policy(`
	vlock_run(sysadm_t, sysadm_r)
')

optional_policy(`
	vpn_run(sysadm_t, sysadm_r)
')

optional_policy(`
	webalizer_run(sysadm_t, sysadm_r)
')

optional_policy(`
	xserver_role(sysadm_r, sysadm_t)
')

optional_policy(`
	yam_run(sysadm_t, sysadm_r)
')

optional_policy(`
	zebra_stream_connect(sysadm_t)
')

ifndef(`distro_redhat',`
	optional_policy(`
		apache_role(sysadm_r, sysadm_t)
	')
	optional_policy(`
		auth_role(sysadm_r, sysadm_t)
	')

	optional_policy(`
		bluetooth_role(sysadm_r, sysadm_t)
	')

	optional_policy(`
		cdrecord_role(sysadm_r, sysadm_t)
	')

	optional_policy(`
		dbus_role_template(sysadm, sysadm_r, sysadm_t)
	')

	optional_policy(`
		evolution_role(sysadm_r, sysadm_t)
	')

	optional_policy(`
		games_role(sysadm_r, sysadm_t)
	')

	optional_policy(`
		gift_role(sysadm_r, sysadm_t)
	')

	optional_policy(`
		gnome_role(sysadm_r, sysadm_t)
		gnome_filetrans_admin_home_content(sysadm_t)
	')

	optional_policy(`
		gpg_role(sysadm_r, sysadm_t)
	')

	optional_policy(`
		java_role(sysadm_r, sysadm_t)
	')

	optional_policy(`
		lockdev_role(sysadm_r, sysadm_t)
	')

	optional_policy(`
		mock_admin(sysadm_t)
	')

	optional_policy(`
		mozilla_role(sysadm_r, sysadm_t)
	')

	optional_policy(`
		mplayer_role(sysadm_r, sysadm_t)
	')

	optional_policy(`
		pyzor_role(sysadm_r, sysadm_t)
	')

	optional_policy(`
		razor_role(sysadm_r, sysadm_t)
	')

	optional_policy(`
		rssh_role(sysadm_r, sysadm_t)
	')

	optional_policy(`
		spamassassin_role(sysadm_r, sysadm_t)
	')

	optional_policy(`
		thunderbird_role(sysadm_r, sysadm_t)
	')

	optional_policy(`
		tvtime_role(sysadm_r, sysadm_t)
	')

	optional_policy(`
		uml_role(sysadm_r, sysadm_t)
	')

	optional_policy(`
		userhelper_role_template(sysadm, sysadm_r, sysadm_t)
	')

	optional_policy(`
		vmware_role(sysadm_r, sysadm_t)
	')

	optional_policy(`
		wireshark_role(sysadm_r, sysadm_t)
	')

	optional_policy(`
		xserver_role(sysadm_r, sysadm_t)
	')
')
Commit	Line	Data
d5048bc7	1	policy_module(sysadm, 2.2.1)
e9c6cda7 CP	2
	3	########################################
	4	#
	5	# Declarations
	6	#
	7
	8	## <desc>
	9	## <p>
	10	## Allow sysadm to debug or ptrace all processes.
	11	## </p>
	12	## </desc>
0bfccda4	13	gen_tunable(allow_ptrace, false)
e9c6cda7 CP	14
	15	role sysadm_r;
	16
	17	userdom_admin_user_template(sysadm)
	18
	19	ifndef(`enable_mls',`
296273a7	20	userdom_security_admin_template(sysadm_t, sysadm_r)
e9c6cda7 CP	21	')
	22
	23	########################################
	24	#
	25	# Local policy
	26	#
2968e068	27	kernel_read_fs_sysctls(sysadm_t)
e9c6cda7 CP	28
	29	corecmd_exec_shell(sysadm_t)
	30
3eaa9939 DW	31	domain_dontaudit_read_all_domains_state(sysadm_t)
3eaa9939 DW	32
2968e068 DW	33	files_read_kernel_modules(sysadm_t)
2968e068 DW	34
65f784aa DW	35	dev_filetrans_all_named_dev(sysadm_t)
	36	storage_filetrans_all_named_dev(sysadm_t)
	37	term_filetrans_all_named_dev(sysadm_t)
72eaebd0	38
e9c6cda7	39	mls_process_read_up(sysadm_t)
3eaa9939 DW	40	mls_file_read_to_clearance(sysadm_t)
3eaa9939 DW	41	mls_process_write_to_clearance(sysadm_t)
e9c6cda7	42
77b776ea DW	43	storage_setattr_fixed_disk_dev(sysadm_t)
77b776ea DW	44
296273a7 CP	45	ubac_process_exempt(sysadm_t)
	46	ubac_file_exempt(sysadm_t)
	47	ubac_fd_exempt(sysadm_t)
	48
3eaa9939 DW	49	application_exec(sysadm_t)
3eaa9939 DW	50
e9c6cda7	51	init_exec(sysadm_t)
3eaa9939 DW	52	init_exec_script_files(sysadm_t)
3eaa9939 DW	53	init_dbus_chat(sysadm_t)
2968e068 DW	54	init_script_role_transition(sysadm_r)
2968e068 DW	55
2968e068	56	miscfiles_read_hwdata(sysadm_t)
e9c6cda7	57
9c7e72de	58	sysnet_filetrans_named_content(sysadm_t)
72eaebd0	59
296273a7 CP	60	# Add/remove user home directories
	61	userdom_manage_user_home_dirs(sysadm_t)
	62	userdom_home_filetrans_user_home_dir(sysadm_t)
3eaa9939 DW	63	userdom_manage_user_tmp_dirs(sysadm_t)
	64	userdom_manage_user_tmp_files(sysadm_t)
	65	userdom_manage_user_tmp_symlinks(sysadm_t)
	66	userdom_manage_user_tmp_chr_files(sysadm_t)
	67	userdom_manage_user_tmp_blk_files(sysadm_t)
e9c6cda7	68
72eaebd0	69	optional_policy(`
a11cc065	70	ssh_filetrans_admin_home_content(sysadm_t)
72eaebd0 DW	71	')
72eaebd0 DW	72
e9c6cda7 CP	73	ifdef(`direct_sysadm_daemon',`
e9c6cda7 CP	74	optional_policy(`
296273a7	75	init_run_daemon(sysadm_t, sysadm_r)
e9c6cda7 CP	76	')
	77	',`
	78	ifdef(`distro_gentoo',`
	79	optional_policy(`
296273a7	80	seutil_init_script_run_runinit(sysadm_t, sysadm_r)
e9c6cda7 CP	81	')
	82	')
	83	')
	84
	85	ifndef(`enable_mls',`
	86	logging_manage_audit_log(sysadm_t)
	87	logging_manage_audit_config(sysadm_t)
296273a7	88	logging_run_auditctl(sysadm_t, sysadm_r)
3eaa9939	89	logging_stream_connect_syslog(sysadm_t)
e9c6cda7 CP	90	')
	91
	92	tunable_policy(`allow_ptrace',`
	93	domain_ptrace_all_domains(sysadm_t)
	94	')
	95
	96	optional_policy(`
296273a7	97	amanda_run_recover(sysadm_t, sysadm_r)
e9c6cda7 CP	98	')
	99
	100	optional_policy(`
296273a7	101	apache_run_helper(sysadm_t, sysadm_r)
3ad2a285	102	apache_filetrans_home_content(sysadm_t)
e9c6cda7 CP	103	#apache_run_all_scripts(sysadm_t, sysadm_r)
	104	#apache_domtrans_sys_script(sysadm_t)
	105	')
	106
	107	optional_policy(`
	108	# cjp: why is this not apm_run_client
	109	apm_domtrans_client(sysadm_t)
	110	')
	111
	112	optional_policy(`
296273a7 CP	113	apt_run(sysadm_t, sysadm_r)
	114	')
	115
	116	optional_policy(`
	117	auditadm_role_change(sysadm_r)
	118	')
	119
296273a7 CP	120	optional_policy(`
296273a7 CP	121	backup_run(sysadm_t, sysadm_r)
e9c6cda7 CP	122	')
	123
	124	optional_policy(`
296273a7	125	bind_run_ndc(sysadm_t, sysadm_r)
e9c6cda7 CP	126	')
e9c6cda7 CP	127
e9c6cda7	128	optional_policy(`
296273a7	129	bootloader_run(sysadm_t, sysadm_r)
e9c6cda7 CP	130	')
e9c6cda7 CP	131
3eaa9939 DW	132	optional_policy(`
	133	certmonger_dbus_chat(sysadm_t)
	134	')
	135
e9c6cda7	136	optional_policy(`
296273a7	137	certwatch_run(sysadm_t, sysadm_r)
e9c6cda7 CP	138	')
	139
	140	optional_policy(`
296273a7	141	clock_run(sysadm_t, sysadm_r)
e9c6cda7 CP	142	')
	143
	144	optional_policy(`
296273a7	145	clockspeed_run_cli(sysadm_t, sysadm_r)
e9c6cda7 CP	146	')
e9c6cda7 CP	147
0351e043 DW	148	optional_policy(`
	149	cron_admin_role(sysadm_r, sysadm_t)
	150	')
	151
e9c6cda7	152	optional_policy(`
296273a7	153	consoletype_run(sysadm_t, sysadm_r)
e9c6cda7 CP	154	')
e9c6cda7 CP	155
3eaa9939 DW	156	optional_policy(`
3eaa9939 DW	157	daemonstools_run_start(sysadm_t, sysadm_r)
e9c6cda7 CP	158	')
e9c6cda7 CP	159
e9c6cda7	160	optional_policy(`
296273a7 CP	161	dcc_run_cdcc(sysadm_t, sysadm_r)
	162	dcc_run_client(sysadm_t, sysadm_r)
	163	dcc_run_dbclean(sysadm_t, sysadm_r)
	164	')
	165
4ad28653 DW	166	optional_policy(`
	167	dbus_role_template(sysadm, sysadm_r, sysadm_t)
	168	')
	169
296273a7 CP	170	optional_policy(`
296273a7 CP	171	ddcprobe_run(sysadm_t, sysadm_r)
e9c6cda7 CP	172	')
	173
	174	optional_policy(`
	175	dmesg_exec(sysadm_t)
	176	')
	177
	178	optional_policy(`
296273a7 CP	179	dmidecode_run(sysadm_t, sysadm_r)
	180	')
	181
	182	optional_policy(`
	183	dpkg_run(sysadm_t, sysadm_r)
e9c6cda7 CP	184	')
e9c6cda7 CP	185
e9c6cda7	186	optional_policy(`
296273a7	187	firstboot_run(sysadm_t, sysadm_r)
e9c6cda7 CP	188	')
	189
	190	optional_policy(`
296273a7	191	fstools_run(sysadm_t, sysadm_r)
e9c6cda7 CP	192	')
e9c6cda7 CP	193
296273a7 CP	194	optional_policy(`
296273a7 CP	195	hostname_run(sysadm_t, sysadm_r)
e9c6cda7 CP	196	')
e9c6cda7 CP	197
bc71a042	198	optional_policy(`
641ac054	199	hadoop_role(sysadm_r, sysadm_t)
bc71a042 PN	200	')
bc71a042 PN	201
e9c6cda7 CP	202	optional_policy(`
	203	# allow system administrator to use the ipsec script to look
	204	# at things (e.g., ipsec auto --status)
	205	# probably should create an ipsec_admin role for this kind of thing
	206	ipsec_exec_mgmt(sysadm_t)
	207	ipsec_stream_connect(sysadm_t)
	208	# for lsof
	209	ipsec_getattr_key_sockets(sysadm_t)
3eaa9939 DW	210	ipsec_run_setkey(sysadm_t, sysadm_r)
	211	ipsec_run_racoon(sysadm_t, sysadm_r)
	212	ipsec_stream_connect_racoon(sysadm_t)
	213
	214	optional_policy(`
	215	ipsec_mgmt_dbus_chat(sysadm_t)
	216	')
e9c6cda7 CP	217	')
	218
	219	optional_policy(`
296273a7 CP	220	iptables_run(sysadm_t, sysadm_r)
	221	')
	222
f8f030aa DG	223	optional_policy(`
	224	irc_role(sysadm_r, sysadm_t)
	225	')
	226
3eaa9939 DW	227	optional_policy(`
3eaa9939 DW	228	kerberos_exec_kadmind(sysadm_t)
d141ac47	229	kerberos_filetrans_named_content(sysadm_t)
3eaa9939 DW	230	')
3eaa9939 DW	231
e9c6cda7	232	optional_policy(`
296273a7	233	kudzu_run(sysadm_t, sysadm_r)
e9c6cda7 CP	234	')
	235
	236	optional_policy(`
296273a7	237	libs_run_ldconfig(sysadm_t, sysadm_r)
e9c6cda7 CP	238	')
e9c6cda7 CP	239
e9c6cda7	240	optional_policy(`
296273a7	241	logrotate_run(sysadm_t, sysadm_r)
e9c6cda7 CP	242	')
	243
	244	optional_policy(`
296273a7 CP	245	lpd_run_checkpc(sysadm_t, sysadm_r)
296273a7 CP	246	lpd_role(sysadm_r, sysadm_t)
e9c6cda7 CP	247	')
	248
	249	optional_policy(`
296273a7	250	lvm_run(sysadm_t, sysadm_r)
e9c6cda7 CP	251	')
	252
	253	optional_policy(`
296273a7 CP	254	modutils_run_depmod(sysadm_t, sysadm_r)
	255	modutils_run_insmod(sysadm_t, sysadm_r)
	256	modutils_run_update_mods(sysadm_t, sysadm_r)
2371d8d8	257	modutils_read_module_deps(sysadm_t)
e9c6cda7 CP	258	')
	259
	260	optional_policy(`
296273a7	261	mount_run(sysadm_t, sysadm_r)
3eaa9939	262	mount_run_showmount(sysadm_t, sysadm_r)
296273a7 CP	263	')
296273a7 CP	264
296273a7 CP	265	optional_policy(`
296273a7 CP	266	mta_role(sysadm_r, sysadm_t)
7c702088 MG	267	# this is defined in userdom_common_user_template
7c702088 MG	268	#mta_filetrans_home_content(sysadm_t)
780198a1	269	mta_filetrans_admin_home_content(sysadm_t)
e9c6cda7 CP	270	')
	271
	272	optional_policy(`
	273	munin_stream_connect(sysadm_t)
	274	')
	275
	276	optional_policy(`
	277	mysql_stream_connect(sysadm_t)
	278	')
	279
3eaa9939 DW	280	optional_policy(`
	281	ncftool_run(sysadm_t, sysadm_r)
	282	')
	283
e9c6cda7	284	optional_policy(`
296273a7 CP	285	netutils_run(sysadm_t, sysadm_r)
	286	netutils_run_ping(sysadm_t, sysadm_r)
	287	netutils_run_traceroute(sysadm_t, sysadm_r)
e9c6cda7 CP	288	')
e9c6cda7 CP	289
0ddcd8f6 DW	290	optional_policy(`
	291	networkmanager_filetrans_named_content(sysadm_t)
	292	')
	293
e9c6cda7 CP	294	optional_policy(`
	295	ntp_stub()
	296	corenet_udp_bind_ntp_port(sysadm_t)
	297	')
	298
e4b8dbb3	299	optional_policy(`
7e67b9c9	300	nx_filetrans_named_content(sysadm_t)
e4b8dbb3 DW	301	')
e4b8dbb3 DW	302
e9c6cda7	303	optional_policy(`
296273a7 CP	304	oav_run_update(sysadm_t, sysadm_r)
	305	')
	306
87f49770 MG	307	optional_policy(`
	308	openvpn_run(sysadm_t, sysadm_r)
	309	')
	310
296273a7 CP	311	optional_policy(`
296273a7 CP	312	pcmcia_run_cardctl(sysadm_t, sysadm_r)
e9c6cda7 CP	313	')
e9c6cda7 CP	314
f1b7d092 DG	315	optional_policy(`
	316	polipo_role(sysadm_r, sysadm_t)
	317	polipo_named_filetrans_admin_cache_home_dirs(sysadm_t)
	318	polipo_named_filetrans_admin_config_home_files(sysadm_t)
	319	')
	320
e9c6cda7	321	optional_policy(`
296273a7 CP	322	portage_run(sysadm_t, sysadm_r)
296273a7 CP	323	portage_run_gcc_config(sysadm_t, sysadm_r)
e9c6cda7 CP	324	')
	325
	326	optional_policy(`
296273a7	327	portmap_run_helper(sysadm_t, sysadm_r)
e9c6cda7 CP	328	')
e9c6cda7 CP	329
3eaa9939 DW	330	optional_policy(`
	331	prelink_run(sysadm_t, sysadm_r)
	332	')
	333
51b8b4c0 DW	334	optional_policy(`
	335	puppet_run_puppetca(sysadm_t, sysadm_r)
	336	')
	337
e9c6cda7	338	optional_policy(`
296273a7	339	quota_run(sysadm_t, sysadm_r)
e9c6cda7 CP	340	')
	341
	342	optional_policy(`
	343	raid_domtrans_mdadm(sysadm_t)
	344	')
	345
	346	optional_policy(`
	347	rpc_domtrans_nfsd(sysadm_t)
	348	')
	349
	350	optional_policy(`
296273a7	351	rpm_run(sysadm_t, sysadm_r)
4e889ea1	352	rpm_dbus_chat(sysadm_t, sysadm_r)
296273a7 CP	353	')
296273a7 CP	354
e9c6cda7 CP	355	optional_policy(`
	356	rsync_exec(sysadm_t)
	357	')
	358
	359	optional_policy(`
296273a7 CP	360	samba_run_net(sysadm_t, sysadm_r)
296273a7 CP	361	samba_run_winbind_helper(sysadm_t, sysadm_r)
e9c6cda7 CP	362	')
e9c6cda7 CP	363
b2f8897d HC	364	optional_policy(`
	365	samhain_admin(sysadm_t)
	366	')
	367
e9c6cda7	368	optional_policy(`
296273a7	369	screen_role_template(sysadm, sysadm_r, sysadm_t)
e9c6cda7 CP	370	')
	371
	372	optional_policy(`
296273a7	373	secadm_role_change(sysadm_r)
e9c6cda7 CP	374	')
e9c6cda7 CP	375
7c525b65 DW	376	optional_policy(`
	377	setroubleshoot_stream_connect(sysadm_t)
	378	setroubleshoot_dbus_chat(sysadm_t)
	379	setroubleshoot_dbus_chat_fixit(sysadm_t)
	380	')
	381
e9c6cda7	382	optional_policy(`
296273a7 CP	383	seutil_run_setfiles(sysadm_t, sysadm_r)
296273a7 CP	384	seutil_run_runinit(sysadm_t, sysadm_r)
e9c6cda7 CP	385	')
e9c6cda7 CP	386
3eaa9939 DW	387	optional_policy(`
	388	shutdown_run(sysadm_t, sysadm_r)
	389	')
	390
e9c6cda7	391	optional_policy(`
296273a7 CP	392	ssh_role_template(sysadm, sysadm_r, sysadm_t)
	393	')
	394
	395	optional_policy(`
	396	staff_role_change(sysadm_r)
	397	')
	398
	399	optional_policy(`
	400	su_role_template(sysadm, sysadm_r, sysadm_t)
	401	')
	402
	403	optional_policy(`
	404	sudo_role_template(sysadm, sysadm_r, sysadm_t)
	405	')
	406
	407	optional_policy(`
	408	sysnet_run_ifconfig(sysadm_t, sysadm_r)
	409	sysnet_run_dhcpc(sysadm_t, sysadm_r)
	410	')
	411
d7441a41 DW	412	optional_policy(`
d7441a41 DW	413	systemd_passwd_agent_run(sysadm_t, sysadm_r)
faaa4a27 DW	414	systemd_config_all_services(sysadm_t)
	415	systemd_manage_all_unit_files(sysadm_t)
	416	systemd_manage_all_unit_lnk_files(sysadm_t)
d7441a41 DW	417	')
d7441a41 DW	418
296273a7 CP	419	optional_policy(`
	420	tripwire_run_siggen(sysadm_t, sysadm_r)
	421	tripwire_run_tripwire(sysadm_t, sysadm_r)
	422	tripwire_run_twadmin(sysadm_t, sysadm_r)
	423	tripwire_run_twprint(sysadm_t, sysadm_r)
	424	')
	425
e9c6cda7 CP	426	optional_policy(`
	427	tzdata_domtrans(sysadm_t)
	428	')
	429
	430	optional_policy(`
b34db7a8	431	unconfined_domtrans(sysadm_t)
e9c6cda7 CP	432	')
e9c6cda7 CP	433
9427adb7 MG	434	optional_policy(`
	435	udev_run(sysadm_t, sysadm_r)
	436	')
	437
e9c6cda7	438	optional_policy(`
296273a7 CP	439	unprivuser_role_change(sysadm_r)
	440	')
	441
	442	optional_policy(`
	443	usbmodules_run(sysadm_t, sysadm_r)
	444	')
e9c6cda7	445
296273a7 CP	446	optional_policy(`
	447	usermanage_run_admin_passwd(sysadm_t, sysadm_r)
	448	usermanage_run_groupadd(sysadm_t, sysadm_r)
	449	usermanage_run_useradd(sysadm_t, sysadm_r)
	450	')
	451
3eaa9939	452	optional_policy(`
7c525b65 DW	453	virt_stream_connect(sysadm_t)
7c525b65 DW	454	virt_filetrans_home_content(sysadm_t)
e9c6cda7 CP	455	')
	456
	457	optional_policy(`
7c525b65	458	vlock_run(sysadm_t, sysadm_r)
e9c6cda7 CP	459	')
e9c6cda7 CP	460
3eaa9939	461	optional_policy(`
7c525b65	462	vpn_run(sysadm_t, sysadm_r)
3eaa9939 DW	463	')
3eaa9939 DW	464
d35e2ee0	465	optional_policy(`
7c525b65	466	webalizer_run(sysadm_t, sysadm_r)
d35e2ee0 HC	467	')
d35e2ee0 HC	468
e9c6cda7	469	optional_policy(`
296273a7	470	xserver_role(sysadm_r, sysadm_t)
e9c6cda7 CP	471	')
	472
	473	optional_policy(`
296273a7	474	yam_run(sysadm_t, sysadm_r)
e9c6cda7	475	')
c87e1502	476
3eaa9939 DW	477	optional_policy(`
3eaa9939 DW	478	zebra_stream_connect(sysadm_t)
c87e1502 JS	479	')
c87e1502 JS	480
2968e068 DW	481	ifndef(`distro_redhat',`
	482	optional_policy(`
	483	apache_role(sysadm_r, sysadm_t)
	484	')
	485	optional_policy(`
	486	auth_role(sysadm_r, sysadm_t)
	487	')
3eaa9939	488
2968e068 DW	489	optional_policy(`
	490	bluetooth_role(sysadm_r, sysadm_t)
	491	')
	492
	493	optional_policy(`
	494	cdrecord_role(sysadm_r, sysadm_t)
	495	')
	496
2968e068 DW	497	optional_policy(`
	498	dbus_role_template(sysadm, sysadm_r, sysadm_t)
	499	')
	500
	501	optional_policy(`
	502	evolution_role(sysadm_r, sysadm_t)
	503	')
	504
	505	optional_policy(`
	506	games_role(sysadm_r, sysadm_t)
	507	')
	508
	509	optional_policy(`
	510	gift_role(sysadm_r, sysadm_t)
	511	')
	512
	513	optional_policy(`
	514	gnome_role(sysadm_r, sysadm_t)
a11cc065	515	gnome_filetrans_admin_home_content(sysadm_t)
2968e068 DW	516	')
	517
	518	optional_policy(`
	519	gpg_role(sysadm_r, sysadm_t)
	520	')
	521
2968e068 DW	522	optional_policy(`
	523	java_role(sysadm_r, sysadm_t)
	524	')
	525
	526	optional_policy(`
	527	lockdev_role(sysadm_r, sysadm_t)
	528	')
	529
dd323694 DW	530	optional_policy(`
	531	mock_admin(sysadm_t)
	532	')
	533
2968e068 DW	534	optional_policy(`
	535	mozilla_role(sysadm_r, sysadm_t)
	536	')
	537
	538	optional_policy(`
	539	mplayer_role(sysadm_r, sysadm_t)
	540	')
	541
	542	optional_policy(`
	543	pyzor_role(sysadm_r, sysadm_t)
	544	')
	545
	546	optional_policy(`
	547	razor_role(sysadm_r, sysadm_t)
	548	')
	549
	550	optional_policy(`
	551	rssh_role(sysadm_r, sysadm_t)
	552	')
	553
	554	optional_policy(`
	555	spamassassin_role(sysadm_r, sysadm_t)
	556	')
	557
	558	optional_policy(`
	559	thunderbird_role(sysadm_r, sysadm_t)
	560	')
	561
	562	optional_policy(`
	563	tvtime_role(sysadm_r, sysadm_t)
	564	')
	565
	566	optional_policy(`
	567	uml_role(sysadm_r, sysadm_t)
	568	')
	569
	570	optional_policy(`
	571	userhelper_role_template(sysadm, sysadm_r, sysadm_t)
	572	')
	573
	574	optional_policy(`
	575	vmware_role(sysadm_r, sysadm_t)
	576	')
	577
	578	optional_policy(`
	579	wireshark_role(sysadm_r, sysadm_t)
	580	')
	581
	582	optional_policy(`
	583	xserver_role(sysadm_r, sysadm_t)
	584	')
	585	')