]>
Commit | Line | Data |
---|---|---|
826d0142 | 1 | policy_module(sysadm, 2.2.0) |
e9c6cda7 CP |
2 | |
3 | ######################################## | |
4 | # | |
5 | # Declarations | |
6 | # | |
7 | ||
8 | ## <desc> | |
9 | ## <p> | |
10 | ## Allow sysadm to debug or ptrace all processes. | |
11 | ## </p> | |
12 | ## </desc> | |
0bfccda4 | 13 | gen_tunable(allow_ptrace, false) |
e9c6cda7 CP |
14 | |
15 | role sysadm_r; | |
16 | ||
17 | userdom_admin_user_template(sysadm) | |
18 | ||
19 | ifndef(`enable_mls',` | |
296273a7 | 20 | userdom_security_admin_template(sysadm_t, sysadm_r) |
e9c6cda7 CP |
21 | ') |
22 | ||
23 | ######################################## | |
24 | # | |
25 | # Local policy | |
26 | # | |
2968e068 | 27 | kernel_read_fs_sysctls(sysadm_t) |
e9c6cda7 CP |
28 | |
29 | corecmd_exec_shell(sysadm_t) | |
30 | ||
3eaa9939 DW |
31 | domain_dontaudit_read_all_domains_state(sysadm_t) |
32 | ||
2968e068 DW |
33 | files_read_kernel_modules(sysadm_t) |
34 | ||
65f784aa DW |
35 | dev_filetrans_all_named_dev(sysadm_t) |
36 | storage_filetrans_all_named_dev(sysadm_t) | |
37 | term_filetrans_all_named_dev(sysadm_t) | |
72eaebd0 | 38 | |
e9c6cda7 | 39 | mls_process_read_up(sysadm_t) |
3eaa9939 DW |
40 | mls_file_read_to_clearance(sysadm_t) |
41 | mls_process_write_to_clearance(sysadm_t) | |
e9c6cda7 | 42 | |
77b776ea DW |
43 | storage_setattr_fixed_disk_dev(sysadm_t) |
44 | ||
296273a7 CP |
45 | ubac_process_exempt(sysadm_t) |
46 | ubac_file_exempt(sysadm_t) | |
47 | ubac_fd_exempt(sysadm_t) | |
48 | ||
3eaa9939 DW |
49 | application_exec(sysadm_t) |
50 | ||
e9c6cda7 | 51 | init_exec(sysadm_t) |
3eaa9939 DW |
52 | init_exec_script_files(sysadm_t) |
53 | init_dbus_chat(sysadm_t) | |
2968e068 DW |
54 | init_script_role_transition(sysadm_r) |
55 | ||
2968e068 | 56 | miscfiles_read_hwdata(sysadm_t) |
e9c6cda7 | 57 | |
72eaebd0 DW |
58 | sysnet_etc_filetrans_config(sysadm_t, resolv.conf) |
59 | sysnet_etc_filetrans_config(sysadm_t, denyhosts) | |
60 | sysnet_etc_filetrans_config(sysadm_t, hosts) | |
61 | sysnet_etc_filetrans_config(sysadm_t, ethers) | |
62 | sysnet_etc_filetrans_config(sysadm_t, yp.conf) | |
63 | ||
296273a7 CP |
64 | # Add/remove user home directories |
65 | userdom_manage_user_home_dirs(sysadm_t) | |
66 | userdom_home_filetrans_user_home_dir(sysadm_t) | |
3eaa9939 DW |
67 | userdom_manage_user_tmp_dirs(sysadm_t) |
68 | userdom_manage_user_tmp_files(sysadm_t) | |
69 | userdom_manage_user_tmp_symlinks(sysadm_t) | |
70 | userdom_manage_user_tmp_chr_files(sysadm_t) | |
71 | userdom_manage_user_tmp_blk_files(sysadm_t) | |
e9c6cda7 | 72 | |
72eaebd0 | 73 | optional_policy(` |
72eaebd0 DW |
74 | ssh_admin_home_dir_filetrans(sysadm_t) |
75 | ') | |
76 | ||
e9c6cda7 CP |
77 | ifdef(`direct_sysadm_daemon',` |
78 | optional_policy(` | |
296273a7 | 79 | init_run_daemon(sysadm_t, sysadm_r) |
e9c6cda7 CP |
80 | ') |
81 | ',` | |
82 | ifdef(`distro_gentoo',` | |
83 | optional_policy(` | |
296273a7 | 84 | seutil_init_script_run_runinit(sysadm_t, sysadm_r) |
e9c6cda7 CP |
85 | ') |
86 | ') | |
87 | ') | |
88 | ||
89 | ifndef(`enable_mls',` | |
90 | logging_manage_audit_log(sysadm_t) | |
91 | logging_manage_audit_config(sysadm_t) | |
296273a7 | 92 | logging_run_auditctl(sysadm_t, sysadm_r) |
3eaa9939 | 93 | logging_stream_connect_syslog(sysadm_t) |
e9c6cda7 CP |
94 | ') |
95 | ||
96 | tunable_policy(`allow_ptrace',` | |
97 | domain_ptrace_all_domains(sysadm_t) | |
98 | ') | |
99 | ||
100 | optional_policy(` | |
296273a7 | 101 | amanda_run_recover(sysadm_t, sysadm_r) |
e9c6cda7 CP |
102 | ') |
103 | ||
104 | optional_policy(` | |
296273a7 | 105 | apache_run_helper(sysadm_t, sysadm_r) |
e9c6cda7 CP |
106 | #apache_run_all_scripts(sysadm_t, sysadm_r) |
107 | #apache_domtrans_sys_script(sysadm_t) | |
108 | ') | |
109 | ||
110 | optional_policy(` | |
111 | # cjp: why is this not apm_run_client | |
112 | apm_domtrans_client(sysadm_t) | |
113 | ') | |
114 | ||
115 | optional_policy(` | |
296273a7 CP |
116 | apt_run(sysadm_t, sysadm_r) |
117 | ') | |
118 | ||
119 | optional_policy(` | |
120 | auditadm_role_change(sysadm_r) | |
121 | ') | |
122 | ||
296273a7 CP |
123 | optional_policy(` |
124 | backup_run(sysadm_t, sysadm_r) | |
e9c6cda7 CP |
125 | ') |
126 | ||
127 | optional_policy(` | |
296273a7 | 128 | bind_run_ndc(sysadm_t, sysadm_r) |
e9c6cda7 CP |
129 | ') |
130 | ||
e9c6cda7 | 131 | optional_policy(` |
296273a7 | 132 | bootloader_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
133 | ') |
134 | ||
3eaa9939 DW |
135 | optional_policy(` |
136 | certmonger_dbus_chat(sysadm_t) | |
137 | ') | |
138 | ||
e9c6cda7 | 139 | optional_policy(` |
296273a7 | 140 | certwatch_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
141 | ') |
142 | ||
143 | optional_policy(` | |
296273a7 | 144 | clock_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
145 | ') |
146 | ||
147 | optional_policy(` | |
296273a7 | 148 | clockspeed_run_cli(sysadm_t, sysadm_r) |
e9c6cda7 CP |
149 | ') |
150 | ||
151 | optional_policy(` | |
296273a7 | 152 | consoletype_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
153 | ') |
154 | ||
3eaa9939 DW |
155 | optional_policy(` |
156 | daemonstools_run_start(sysadm_t, sysadm_r) | |
e9c6cda7 CP |
157 | ') |
158 | ||
e9c6cda7 | 159 | optional_policy(` |
296273a7 CP |
160 | dcc_run_cdcc(sysadm_t, sysadm_r) |
161 | dcc_run_client(sysadm_t, sysadm_r) | |
162 | dcc_run_dbclean(sysadm_t, sysadm_r) | |
163 | ') | |
164 | ||
4ad28653 DW |
165 | optional_policy(` |
166 | dbus_role_template(sysadm, sysadm_r, sysadm_t) | |
167 | ') | |
168 | ||
296273a7 CP |
169 | optional_policy(` |
170 | ddcprobe_run(sysadm_t, sysadm_r) | |
e9c6cda7 CP |
171 | ') |
172 | ||
173 | optional_policy(` | |
174 | dmesg_exec(sysadm_t) | |
175 | ') | |
176 | ||
177 | optional_policy(` | |
296273a7 CP |
178 | dmidecode_run(sysadm_t, sysadm_r) |
179 | ') | |
180 | ||
181 | optional_policy(` | |
182 | dpkg_run(sysadm_t, sysadm_r) | |
e9c6cda7 CP |
183 | ') |
184 | ||
e9c6cda7 | 185 | optional_policy(` |
296273a7 | 186 | firstboot_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
187 | ') |
188 | ||
189 | optional_policy(` | |
296273a7 | 190 | fstools_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
191 | ') |
192 | ||
296273a7 CP |
193 | optional_policy(` |
194 | hostname_run(sysadm_t, sysadm_r) | |
e9c6cda7 CP |
195 | ') |
196 | ||
bc71a042 | 197 | optional_policy(` |
641ac054 | 198 | hadoop_role(sysadm_r, sysadm_t) |
bc71a042 PN |
199 | ') |
200 | ||
e9c6cda7 CP |
201 | optional_policy(` |
202 | # allow system administrator to use the ipsec script to look | |
203 | # at things (e.g., ipsec auto --status) | |
204 | # probably should create an ipsec_admin role for this kind of thing | |
205 | ipsec_exec_mgmt(sysadm_t) | |
206 | ipsec_stream_connect(sysadm_t) | |
207 | # for lsof | |
208 | ipsec_getattr_key_sockets(sysadm_t) | |
3eaa9939 DW |
209 | ipsec_run_setkey(sysadm_t, sysadm_r) |
210 | ipsec_run_racoon(sysadm_t, sysadm_r) | |
211 | ipsec_stream_connect_racoon(sysadm_t) | |
212 | ||
213 | optional_policy(` | |
214 | ipsec_mgmt_dbus_chat(sysadm_t) | |
215 | ') | |
e9c6cda7 CP |
216 | ') |
217 | ||
218 | optional_policy(` | |
296273a7 CP |
219 | iptables_run(sysadm_t, sysadm_r) |
220 | ') | |
221 | ||
3eaa9939 DW |
222 | optional_policy(` |
223 | kerberos_exec_kadmind(sysadm_t) | |
224 | ') | |
225 | ||
e9c6cda7 | 226 | optional_policy(` |
296273a7 | 227 | kudzu_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
228 | ') |
229 | ||
230 | optional_policy(` | |
296273a7 | 231 | libs_run_ldconfig(sysadm_t, sysadm_r) |
e9c6cda7 CP |
232 | ') |
233 | ||
e9c6cda7 | 234 | optional_policy(` |
296273a7 | 235 | logrotate_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
236 | ') |
237 | ||
238 | optional_policy(` | |
296273a7 CP |
239 | lpd_run_checkpc(sysadm_t, sysadm_r) |
240 | lpd_role(sysadm_r, sysadm_t) | |
e9c6cda7 CP |
241 | ') |
242 | ||
243 | optional_policy(` | |
296273a7 | 244 | lvm_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
245 | ') |
246 | ||
247 | optional_policy(` | |
296273a7 CP |
248 | modutils_run_depmod(sysadm_t, sysadm_r) |
249 | modutils_run_insmod(sysadm_t, sysadm_r) | |
250 | modutils_run_update_mods(sysadm_t, sysadm_r) | |
2371d8d8 | 251 | modutils_read_module_deps(sysadm_t) |
e9c6cda7 CP |
252 | ') |
253 | ||
254 | optional_policy(` | |
296273a7 | 255 | mount_run(sysadm_t, sysadm_r) |
3eaa9939 | 256 | mount_run_showmount(sysadm_t, sysadm_r) |
296273a7 CP |
257 | ') |
258 | ||
296273a7 CP |
259 | optional_policy(` |
260 | mta_role(sysadm_r, sysadm_t) | |
e9c6cda7 CP |
261 | ') |
262 | ||
263 | optional_policy(` | |
264 | munin_stream_connect(sysadm_t) | |
265 | ') | |
266 | ||
267 | optional_policy(` | |
268 | mysql_stream_connect(sysadm_t) | |
269 | ') | |
270 | ||
3eaa9939 DW |
271 | optional_policy(` |
272 | ncftool_run(sysadm_t, sysadm_r) | |
273 | ') | |
274 | ||
e9c6cda7 | 275 | optional_policy(` |
296273a7 CP |
276 | netutils_run(sysadm_t, sysadm_r) |
277 | netutils_run_ping(sysadm_t, sysadm_r) | |
278 | netutils_run_traceroute(sysadm_t, sysadm_r) | |
e9c6cda7 CP |
279 | ') |
280 | ||
281 | optional_policy(` | |
282 | ntp_stub() | |
283 | corenet_udp_bind_ntp_port(sysadm_t) | |
284 | ') | |
285 | ||
286 | optional_policy(` | |
296273a7 CP |
287 | oav_run_update(sysadm_t, sysadm_r) |
288 | ') | |
289 | ||
296273a7 CP |
290 | optional_policy(` |
291 | pcmcia_run_cardctl(sysadm_t, sysadm_r) | |
e9c6cda7 CP |
292 | ') |
293 | ||
294 | optional_policy(` | |
296273a7 CP |
295 | portage_run(sysadm_t, sysadm_r) |
296 | portage_run_gcc_config(sysadm_t, sysadm_r) | |
e9c6cda7 CP |
297 | ') |
298 | ||
299 | optional_policy(` | |
296273a7 | 300 | portmap_run_helper(sysadm_t, sysadm_r) |
e9c6cda7 CP |
301 | ') |
302 | ||
3eaa9939 DW |
303 | optional_policy(` |
304 | prelink_run(sysadm_t, sysadm_r) | |
305 | ') | |
306 | ||
e9c6cda7 | 307 | optional_policy(` |
296273a7 | 308 | quota_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
309 | ') |
310 | ||
311 | optional_policy(` | |
312 | raid_domtrans_mdadm(sysadm_t) | |
313 | ') | |
314 | ||
315 | optional_policy(` | |
316 | rpc_domtrans_nfsd(sysadm_t) | |
317 | ') | |
318 | ||
319 | optional_policy(` | |
296273a7 | 320 | rpm_run(sysadm_t, sysadm_r) |
4e889ea1 | 321 | rpm_dbus_chat(sysadm_t, sysadm_r) |
296273a7 CP |
322 | ') |
323 | ||
e9c6cda7 CP |
324 | |
325 | optional_policy(` | |
326 | rsync_exec(sysadm_t) | |
327 | ') | |
328 | ||
329 | optional_policy(` | |
296273a7 CP |
330 | samba_run_net(sysadm_t, sysadm_r) |
331 | samba_run_winbind_helper(sysadm_t, sysadm_r) | |
e9c6cda7 CP |
332 | ') |
333 | ||
b2f8897d HC |
334 | optional_policy(` |
335 | samhain_admin(sysadm_t) | |
336 | ') | |
337 | ||
e9c6cda7 | 338 | optional_policy(` |
296273a7 | 339 | screen_role_template(sysadm, sysadm_r, sysadm_t) |
e9c6cda7 CP |
340 | ') |
341 | ||
342 | optional_policy(` | |
296273a7 | 343 | secadm_role_change(sysadm_r) |
e9c6cda7 CP |
344 | ') |
345 | ||
346 | optional_policy(` | |
296273a7 CP |
347 | seutil_run_setfiles(sysadm_t, sysadm_r) |
348 | seutil_run_runinit(sysadm_t, sysadm_r) | |
e9c6cda7 CP |
349 | ') |
350 | ||
3eaa9939 DW |
351 | optional_policy(` |
352 | shutdown_run(sysadm_t, sysadm_r) | |
353 | ') | |
354 | ||
e9c6cda7 | 355 | optional_policy(` |
296273a7 CP |
356 | ssh_role_template(sysadm, sysadm_r, sysadm_t) |
357 | ') | |
358 | ||
359 | optional_policy(` | |
360 | staff_role_change(sysadm_r) | |
361 | ') | |
362 | ||
363 | optional_policy(` | |
364 | su_role_template(sysadm, sysadm_r, sysadm_t) | |
365 | ') | |
366 | ||
367 | optional_policy(` | |
368 | sudo_role_template(sysadm, sysadm_r, sysadm_t) | |
369 | ') | |
370 | ||
371 | optional_policy(` | |
372 | sysnet_run_ifconfig(sysadm_t, sysadm_r) | |
373 | sysnet_run_dhcpc(sysadm_t, sysadm_r) | |
374 | ') | |
375 | ||
296273a7 CP |
376 | optional_policy(` |
377 | tripwire_run_siggen(sysadm_t, sysadm_r) | |
378 | tripwire_run_tripwire(sysadm_t, sysadm_r) | |
379 | tripwire_run_twadmin(sysadm_t, sysadm_r) | |
380 | tripwire_run_twprint(sysadm_t, sysadm_r) | |
381 | ') | |
382 | ||
e9c6cda7 CP |
383 | optional_policy(` |
384 | tzdata_domtrans(sysadm_t) | |
385 | ') | |
386 | ||
387 | optional_policy(` | |
b34db7a8 | 388 | unconfined_domtrans(sysadm_t) |
e9c6cda7 CP |
389 | ') |
390 | ||
9427adb7 MG |
391 | optional_policy(` |
392 | udev_run(sysadm_t, sysadm_r) | |
393 | ') | |
394 | ||
e9c6cda7 | 395 | optional_policy(` |
296273a7 CP |
396 | unprivuser_role_change(sysadm_r) |
397 | ') | |
398 | ||
399 | optional_policy(` | |
400 | usbmodules_run(sysadm_t, sysadm_r) | |
401 | ') | |
e9c6cda7 | 402 | |
296273a7 CP |
403 | optional_policy(` |
404 | usermanage_run_admin_passwd(sysadm_t, sysadm_r) | |
405 | usermanage_run_groupadd(sysadm_t, sysadm_r) | |
406 | usermanage_run_useradd(sysadm_t, sysadm_r) | |
407 | ') | |
408 | ||
3eaa9939 DW |
409 | |
410 | optional_policy(` | |
411 | vpn_run(sysadm_t, sysadm_r) | |
412 | ') | |
e9c6cda7 CP |
413 | |
414 | optional_policy(` | |
296273a7 | 415 | vpn_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
416 | ') |
417 | ||
418 | optional_policy(` | |
296273a7 | 419 | webalizer_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
420 | ') |
421 | ||
3eaa9939 DW |
422 | optional_policy(` |
423 | virt_stream_connect(sysadm_t) | |
424 | ') | |
425 | ||
d35e2ee0 | 426 | optional_policy(` |
7f9f5bce | 427 | vlock_run(sysadm_t, sysadm_r) |
d35e2ee0 HC |
428 | ') |
429 | ||
e9c6cda7 | 430 | optional_policy(` |
296273a7 | 431 | xserver_role(sysadm_r, sysadm_t) |
e9c6cda7 CP |
432 | ') |
433 | ||
434 | optional_policy(` | |
296273a7 | 435 | yam_run(sysadm_t, sysadm_r) |
e9c6cda7 | 436 | ') |
c87e1502 | 437 | |
3eaa9939 DW |
438 | optional_policy(` |
439 | zebra_stream_connect(sysadm_t) | |
c87e1502 JS |
440 | ') |
441 | ||
2968e068 DW |
442 | ifndef(`distro_redhat',` |
443 | optional_policy(` | |
444 | apache_role(sysadm_r, sysadm_t) | |
445 | ') | |
446 | optional_policy(` | |
447 | auth_role(sysadm_r, sysadm_t) | |
448 | ') | |
3eaa9939 | 449 | |
2968e068 DW |
450 | optional_policy(` |
451 | bluetooth_role(sysadm_r, sysadm_t) | |
452 | ') | |
453 | ||
454 | optional_policy(` | |
455 | cdrecord_role(sysadm_r, sysadm_t) | |
456 | ') | |
457 | ||
458 | optional_policy(` | |
459 | cron_admin_role(sysadm_r, sysadm_t) | |
460 | ') | |
461 | ||
462 | optional_policy(` | |
463 | dbus_role_template(sysadm, sysadm_r, sysadm_t) | |
464 | ') | |
465 | ||
466 | optional_policy(` | |
467 | evolution_role(sysadm_r, sysadm_t) | |
468 | ') | |
469 | ||
470 | optional_policy(` | |
471 | games_role(sysadm_r, sysadm_t) | |
472 | ') | |
473 | ||
474 | optional_policy(` | |
475 | gift_role(sysadm_r, sysadm_t) | |
476 | ') | |
477 | ||
478 | optional_policy(` | |
479 | gnome_role(sysadm_r, sysadm_t) | |
15b2e336 | 480 | gnome_admin_home_dir_filetrans(unconfined_usertype) |
2968e068 DW |
481 | ') |
482 | ||
483 | optional_policy(` | |
484 | gpg_role(sysadm_r, sysadm_t) | |
485 | ') | |
486 | ||
487 | optional_policy(` | |
488 | irc_role(sysadm_r, sysadm_t) | |
489 | ') | |
490 | ||
491 | optional_policy(` | |
492 | java_role(sysadm_r, sysadm_t) | |
493 | ') | |
494 | ||
495 | optional_policy(` | |
496 | lockdev_role(sysadm_r, sysadm_t) | |
497 | ') | |
498 | ||
499 | optional_policy(` | |
500 | mozilla_role(sysadm_r, sysadm_t) | |
501 | ') | |
502 | ||
503 | optional_policy(` | |
504 | mplayer_role(sysadm_r, sysadm_t) | |
505 | ') | |
506 | ||
507 | optional_policy(` | |
508 | pyzor_role(sysadm_r, sysadm_t) | |
509 | ') | |
510 | ||
511 | optional_policy(` | |
512 | razor_role(sysadm_r, sysadm_t) | |
513 | ') | |
514 | ||
515 | optional_policy(` | |
516 | rssh_role(sysadm_r, sysadm_t) | |
517 | ') | |
518 | ||
519 | optional_policy(` | |
520 | spamassassin_role(sysadm_r, sysadm_t) | |
521 | ') | |
522 | ||
523 | optional_policy(` | |
524 | thunderbird_role(sysadm_r, sysadm_t) | |
525 | ') | |
526 | ||
527 | optional_policy(` | |
528 | tvtime_role(sysadm_r, sysadm_t) | |
529 | ') | |
530 | ||
531 | optional_policy(` | |
532 | uml_role(sysadm_r, sysadm_t) | |
533 | ') | |
534 | ||
535 | optional_policy(` | |
536 | userhelper_role_template(sysadm, sysadm_r, sysadm_t) | |
537 | ') | |
538 | ||
539 | optional_policy(` | |
540 | vmware_role(sysadm_r, sysadm_t) | |
541 | ') | |
542 | ||
543 | optional_policy(` | |
544 | wireshark_role(sysadm_r, sysadm_t) | |
545 | ') | |
546 | ||
547 | optional_policy(` | |
548 | xserver_role(sysadm_r, sysadm_t) | |
549 | ') | |
550 | ') |