| | 1 | policy_module(sysadm, 2.2.0) |
| | 2 | |
| | 3 | ######################################## |
| | 4 | # |
| | 5 | # Declarations |
| | 6 | # |
| | 7 | |
| | 8 | ## <desc> |
| | 9 | ## <p> |
| | 10 | ## Allow sysadm to debug or ptrace all processes. |
| | 11 | ## </p> |
| | 12 | ## </desc> |
| | 13 | gen_tunable(allow_ptrace, false) |
| | 14 | |
| | 15 | role sysadm_r; |
| | 16 | |
| | 17 | userdom_admin_user_template(sysadm) |
| | 18 | |
| | 19 | ifndef(`enable_mls',` |
| | 20 | userdom_security_admin_template(sysadm_t, sysadm_r) |
| | 21 | ') |
| | 22 | |
| | 23 | ######################################## |
| | 24 | # |
| | 25 | # Local policy |
| | 26 | # |
| | 27 | kernel_read_fs_sysctls(sysadm_t) |
| | 28 | |
| | 29 | corecmd_exec_shell(sysadm_t) |
| | 30 | |
| | 31 | domain_dontaudit_read_all_domains_state(sysadm_t) |
| | 32 | |
| | 33 | files_read_kernel_modules(sysadm_t) |
| | 34 | |
| | 35 | dev_filetrans_all_named_dev(sysadm_t) |
| | 36 | storage_filetrans_all_named_dev(sysadm_t) |
| | 37 | term_filetrans_all_named_dev(sysadm_t) |
| | 38 | |
| | 39 | mls_process_read_up(sysadm_t) |
| | 40 | mls_file_read_to_clearance(sysadm_t) |
| | 41 | mls_process_write_to_clearance(sysadm_t) |
| | 42 | |
| | 43 | storage_setattr_fixed_disk_dev(sysadm_t) |
| | 44 | |
| | 45 | ubac_process_exempt(sysadm_t) |
| | 46 | ubac_file_exempt(sysadm_t) |
| | 47 | ubac_fd_exempt(sysadm_t) |
| | 48 | |
| | 49 | application_exec(sysadm_t) |
| | 50 | |
| | 51 | init_exec(sysadm_t) |
| | 52 | init_exec_script_files(sysadm_t) |
| | 53 | init_dbus_chat(sysadm_t) |
| | 54 | init_script_role_transition(sysadm_r) |
| | 55 | |
| | 56 | miscfiles_read_hwdata(sysadm_t) |
| | 57 | |
| | 58 | sysnet_etc_filetrans_config(sysadm_t, resolv.conf) |
| | 59 | sysnet_etc_filetrans_config(sysadm_t, denyhosts) |
| | 60 | sysnet_etc_filetrans_config(sysadm_t, hosts) |
| | 61 | sysnet_etc_filetrans_config(sysadm_t, ethers) |
| | 62 | sysnet_etc_filetrans_config(sysadm_t, yp.conf) |
| | 63 | |
| | 64 | # Add/remove user home directories |
| | 65 | userdom_manage_user_home_dirs(sysadm_t) |
| | 66 | userdom_home_filetrans_user_home_dir(sysadm_t) |
| | 67 | userdom_manage_user_tmp_dirs(sysadm_t) |
| | 68 | userdom_manage_user_tmp_files(sysadm_t) |
| | 69 | userdom_manage_user_tmp_symlinks(sysadm_t) |
| | 70 | userdom_manage_user_tmp_chr_files(sysadm_t) |
| | 71 | userdom_manage_user_tmp_blk_files(sysadm_t) |
| | 72 | |
| | 73 | optional_policy(` |
| | 74 | ssh_admin_home_dir_filetrans(sysadm_t) |
| | 75 | ') |
| | 76 | |
| | 77 | ifdef(`direct_sysadm_daemon',` |
| | 78 | optional_policy(` |
| | 79 | init_run_daemon(sysadm_t, sysadm_r) |
| | 80 | ') |
| | 81 | ',` |
| | 82 | ifdef(`distro_gentoo',` |
| | 83 | optional_policy(` |
| | 84 | seutil_init_script_run_runinit(sysadm_t, sysadm_r) |
| | 85 | ') |
| | 86 | ') |
| | 87 | ') |
| | 88 | |
| | 89 | ifndef(`enable_mls',` |
| | 90 | logging_manage_audit_log(sysadm_t) |
| | 91 | logging_manage_audit_config(sysadm_t) |
| | 92 | logging_run_auditctl(sysadm_t, sysadm_r) |
| | 93 | logging_stream_connect_syslog(sysadm_t) |
| | 94 | ') |
| | 95 | |
| | 96 | tunable_policy(`allow_ptrace',` |
| | 97 | domain_ptrace_all_domains(sysadm_t) |
| | 98 | ') |
| | 99 | |
| | 100 | optional_policy(` |
| | 101 | amanda_run_recover(sysadm_t, sysadm_r) |
| | 102 | ') |
| | 103 | |
| | 104 | optional_policy(` |
| | 105 | apache_run_helper(sysadm_t, sysadm_r) |
| | 106 | apache_filetrans_home_content(sysadm_t) |
| | 107 | #apache_run_all_scripts(sysadm_t, sysadm_r) |
| | 108 | #apache_domtrans_sys_script(sysadm_t) |
| | 109 | ') |
| | 110 | |
| | 111 | optional_policy(` |
| | 112 | # cjp: why is this not apm_run_client |
| | 113 | apm_domtrans_client(sysadm_t) |
| | 114 | ') |
| | 115 | |
| | 116 | optional_policy(` |
| | 117 | apt_run(sysadm_t, sysadm_r) |
| | 118 | ') |
| | 119 | |
| | 120 | optional_policy(` |
| | 121 | auditadm_role_change(sysadm_r) |
| | 122 | ') |
| | 123 | |
| | 124 | optional_policy(` |
| | 125 | backup_run(sysadm_t, sysadm_r) |
| | 126 | ') |
| | 127 | |
| | 128 | optional_policy(` |
| | 129 | bind_run_ndc(sysadm_t, sysadm_r) |
| | 130 | ') |
| | 131 | |
| | 132 | optional_policy(` |
| | 133 | bootloader_run(sysadm_t, sysadm_r) |
| | 134 | ') |
| | 135 | |
| | 136 | optional_policy(` |
| | 137 | certmonger_dbus_chat(sysadm_t) |
| | 138 | ') |
| | 139 | |
| | 140 | optional_policy(` |
| | 141 | certwatch_run(sysadm_t, sysadm_r) |
| | 142 | ') |
| | 143 | |
| | 144 | optional_policy(` |
| | 145 | clock_run(sysadm_t, sysadm_r) |
| | 146 | ') |
| | 147 | |
| | 148 | optional_policy(` |
| | 149 | clockspeed_run_cli(sysadm_t, sysadm_r) |
| | 150 | ') |
| | 151 | |
| | 152 | optional_policy(` |
| | 153 | consoletype_run(sysadm_t, sysadm_r) |
| | 154 | ') |
| | 155 | |
| | 156 | optional_policy(` |
| | 157 | daemonstools_run_start(sysadm_t, sysadm_r) |
| | 158 | ') |
| | 159 | |
| | 160 | optional_policy(` |
| | 161 | dcc_run_cdcc(sysadm_t, sysadm_r) |
| | 162 | dcc_run_client(sysadm_t, sysadm_r) |
| | 163 | dcc_run_dbclean(sysadm_t, sysadm_r) |
| | 164 | ') |
| | 165 | |
| | 166 | optional_policy(` |
| | 167 | dbus_role_template(sysadm, sysadm_r, sysadm_t) |
| | 168 | ') |
| | 169 | |
| | 170 | optional_policy(` |
| | 171 | ddcprobe_run(sysadm_t, sysadm_r) |
| | 172 | ') |
| | 173 | |
| | 174 | optional_policy(` |
| | 175 | dmesg_exec(sysadm_t) |
| | 176 | ') |
| | 177 | |
| | 178 | optional_policy(` |
| | 179 | dmidecode_run(sysadm_t, sysadm_r) |
| | 180 | ') |
| | 181 | |
| | 182 | optional_policy(` |
| | 183 | dpkg_run(sysadm_t, sysadm_r) |
| | 184 | ') |
| | 185 | |
| | 186 | optional_policy(` |
| | 187 | firstboot_run(sysadm_t, sysadm_r) |
| | 188 | ') |
| | 189 | |
| | 190 | optional_policy(` |
| | 191 | fstools_run(sysadm_t, sysadm_r) |
| | 192 | ') |
| | 193 | |
| | 194 | optional_policy(` |
| | 195 | hostname_run(sysadm_t, sysadm_r) |
| | 196 | ') |
| | 197 | |
| | 198 | optional_policy(` |
| | 199 | hadoop_role(sysadm_r, sysadm_t) |
| | 200 | ') |
| | 201 | |
| | 202 | optional_policy(` |
| | 203 | # allow system administrator to use the ipsec script to look |
| | 204 | # at things (e.g., ipsec auto --status) |
| | 205 | # probably should create an ipsec_admin role for this kind of thing |
| | 206 | ipsec_exec_mgmt(sysadm_t) |
| | 207 | ipsec_stream_connect(sysadm_t) |
| | 208 | # for lsof |
| | 209 | ipsec_getattr_key_sockets(sysadm_t) |
| | 210 | ipsec_run_setkey(sysadm_t, sysadm_r) |
| | 211 | ipsec_run_racoon(sysadm_t, sysadm_r) |
| | 212 | ipsec_stream_connect_racoon(sysadm_t) |
| | 213 | |
| | 214 | optional_policy(` |
| | 215 | ipsec_mgmt_dbus_chat(sysadm_t) |
| | 216 | ') |
| | 217 | ') |
| | 218 | |
| | 219 | optional_policy(` |
| | 220 | iptables_run(sysadm_t, sysadm_r) |
| | 221 | ') |
| | 222 | |
| | 223 | optional_policy(` |
| | 224 | kerberos_exec_kadmind(sysadm_t) |
| | 225 | kerberos_filetrans_named_content(sysadm_t) |
| | 226 | ') |
| | 227 | |
| | 228 | optional_policy(` |
| | 229 | kudzu_run(sysadm_t, sysadm_r) |
| | 230 | ') |
| | 231 | |
| | 232 | optional_policy(` |
| | 233 | libs_run_ldconfig(sysadm_t, sysadm_r) |
| | 234 | ') |
| | 235 | |
| | 236 | optional_policy(` |
| | 237 | logrotate_run(sysadm_t, sysadm_r) |
| | 238 | ') |
| | 239 | |
| | 240 | optional_policy(` |
| | 241 | lpd_run_checkpc(sysadm_t, sysadm_r) |
| | 242 | lpd_role(sysadm_r, sysadm_t) |
| | 243 | ') |
| | 244 | |
| | 245 | optional_policy(` |
| | 246 | lvm_run(sysadm_t, sysadm_r) |
| | 247 | ') |
| | 248 | |
| | 249 | optional_policy(` |
| | 250 | modutils_run_depmod(sysadm_t, sysadm_r) |
| | 251 | modutils_run_insmod(sysadm_t, sysadm_r) |
| | 252 | modutils_run_update_mods(sysadm_t, sysadm_r) |
| | 253 | modutils_read_module_deps(sysadm_t) |
| | 254 | ') |
| | 255 | |
| | 256 | optional_policy(` |
| | 257 | mount_run(sysadm_t, sysadm_r) |
| | 258 | mount_run_showmount(sysadm_t, sysadm_r) |
| | 259 | ') |
| | 260 | |
| | 261 | optional_policy(` |
| | 262 | mta_role(sysadm_r, sysadm_t) |
| | 263 | mta_filetrans_home_content(sysadm_t) |
| | 264 | mta_filetrans_admin_home_content(sysadm_t) |
| | 265 | ') |
| | 266 | |
| | 267 | optional_policy(` |
| | 268 | munin_stream_connect(sysadm_t) |
| | 269 | ') |
| | 270 | |
| | 271 | optional_policy(` |
| | 272 | mysql_stream_connect(sysadm_t) |
| | 273 | ') |
| | 274 | |
| | 275 | optional_policy(` |
| | 276 | ncftool_run(sysadm_t, sysadm_r) |
| | 277 | ') |
| | 278 | |
| | 279 | optional_policy(` |
| | 280 | netutils_run(sysadm_t, sysadm_r) |
| | 281 | netutils_run_ping(sysadm_t, sysadm_r) |
| | 282 | netutils_run_traceroute(sysadm_t, sysadm_r) |
| | 283 | ') |
| | 284 | |
| | 285 | optional_policy(` |
| | 286 | ntp_stub() |
| | 287 | corenet_udp_bind_ntp_port(sysadm_t) |
| | 288 | ') |
| | 289 | |
| | 290 | optional_policy(` |
| | 291 | oav_run_update(sysadm_t, sysadm_r) |
| | 292 | ') |
| | 293 | |
| | 294 | optional_policy(` |
| | 295 | pcmcia_run_cardctl(sysadm_t, sysadm_r) |
| | 296 | ') |
| | 297 | |
| | 298 | optional_policy(` |
| | 299 | portage_run(sysadm_t, sysadm_r) |
| | 300 | portage_run_gcc_config(sysadm_t, sysadm_r) |
| | 301 | ') |
| | 302 | |
| | 303 | optional_policy(` |
| | 304 | portmap_run_helper(sysadm_t, sysadm_r) |
| | 305 | ') |
| | 306 | |
| | 307 | optional_policy(` |
| | 308 | prelink_run(sysadm_t, sysadm_r) |
| | 309 | ') |
| | 310 | |
| | 311 | optional_policy(` |
| | 312 | quota_run(sysadm_t, sysadm_r) |
| | 313 | ') |
| | 314 | |
| | 315 | optional_policy(` |
| | 316 | raid_domtrans_mdadm(sysadm_t) |
| | 317 | ') |
| | 318 | |
| | 319 | optional_policy(` |
| | 320 | rpc_domtrans_nfsd(sysadm_t) |
| | 321 | ') |
| | 322 | |
| | 323 | optional_policy(` |
| | 324 | rpm_run(sysadm_t, sysadm_r) |
| | 325 | rpm_dbus_chat(sysadm_t, sysadm_r) |
| | 326 | ') |
| | 327 | |
| | 328 | |
| | 329 | optional_policy(` |
| | 330 | rsync_exec(sysadm_t) |
| | 331 | ') |
| | 332 | |
| | 333 | optional_policy(` |
| | 334 | samba_run_net(sysadm_t, sysadm_r) |
| | 335 | samba_run_winbind_helper(sysadm_t, sysadm_r) |
| | 336 | ') |
| | 337 | |
| | 338 | optional_policy(` |
| | 339 | samhain_admin(sysadm_t) |
| | 340 | ') |
| | 341 | |
| | 342 | optional_policy(` |
| | 343 | screen_role_template(sysadm, sysadm_r, sysadm_t) |
| | 344 | ') |
| | 345 | |
| | 346 | optional_policy(` |
| | 347 | secadm_role_change(sysadm_r) |
| | 348 | ') |
| | 349 | |
| | 350 | optional_policy(` |
| | 351 | seutil_run_setfiles(sysadm_t, sysadm_r) |
| | 352 | seutil_run_runinit(sysadm_t, sysadm_r) |
| | 353 | ') |
| | 354 | |
| | 355 | optional_policy(` |
| | 356 | shutdown_run(sysadm_t, sysadm_r) |
| | 357 | ') |
| | 358 | |
| | 359 | optional_policy(` |
| | 360 | ssh_role_template(sysadm, sysadm_r, sysadm_t) |
| | 361 | ') |
| | 362 | |
| | 363 | optional_policy(` |
| | 364 | staff_role_change(sysadm_r) |
| | 365 | ') |
| | 366 | |
| | 367 | optional_policy(` |
| | 368 | su_role_template(sysadm, sysadm_r, sysadm_t) |
| | 369 | ') |
| | 370 | |
| | 371 | optional_policy(` |
| | 372 | sudo_role_template(sysadm, sysadm_r, sysadm_t) |
| | 373 | ') |
| | 374 | |
| | 375 | optional_policy(` |
| | 376 | sysnet_run_ifconfig(sysadm_t, sysadm_r) |
| | 377 | sysnet_run_dhcpc(sysadm_t, sysadm_r) |
| | 378 | ') |
| | 379 | |
| | 380 | optional_policy(` |
| | 381 | tripwire_run_siggen(sysadm_t, sysadm_r) |
| | 382 | tripwire_run_tripwire(sysadm_t, sysadm_r) |
| | 383 | tripwire_run_twadmin(sysadm_t, sysadm_r) |
| | 384 | tripwire_run_twprint(sysadm_t, sysadm_r) |
| | 385 | ') |
| | 386 | |
| | 387 | optional_policy(` |
| | 388 | tzdata_domtrans(sysadm_t) |
| | 389 | ') |
| | 390 | |
| | 391 | optional_policy(` |
| | 392 | unconfined_domtrans(sysadm_t) |
| | 393 | ') |
| | 394 | |
| | 395 | optional_policy(` |
| | 396 | udev_run(sysadm_t, sysadm_r) |
| | 397 | ') |
| | 398 | |
| | 399 | optional_policy(` |
| | 400 | unprivuser_role_change(sysadm_r) |
| | 401 | ') |
| | 402 | |
| | 403 | optional_policy(` |
| | 404 | usbmodules_run(sysadm_t, sysadm_r) |
| | 405 | ') |
| | 406 | |
| | 407 | optional_policy(` |
| | 408 | usermanage_run_admin_passwd(sysadm_t, sysadm_r) |
| | 409 | usermanage_run_groupadd(sysadm_t, sysadm_r) |
| | 410 | usermanage_run_useradd(sysadm_t, sysadm_r) |
| | 411 | ') |
| | 412 | |
| | 413 | |
| | 414 | optional_policy(` |
| | 415 | vpn_run(sysadm_t, sysadm_r) |
| | 416 | ') |
| | 417 | |
| | 418 | optional_policy(` |
| | 419 | vpn_run(sysadm_t, sysadm_r) |
| | 420 | ') |
| | 421 | |
| | 422 | optional_policy(` |
| | 423 | webalizer_run(sysadm_t, sysadm_r) |
| | 424 | ') |
| | 425 | |
| | 426 | optional_policy(` |
| | 427 | virt_stream_connect(sysadm_t) |
| | 428 | virt_user_home_dir_filetrans(sysadm_t) |
| | 429 | ') |
| | 430 | |
| | 431 | optional_policy(` |
| | 432 | vlock_run(sysadm_t, sysadm_r) |
| | 433 | ') |
| | 434 | |
| | 435 | optional_policy(` |
| | 436 | xserver_role(sysadm_r, sysadm_t) |
| | 437 | ') |
| | 438 | |
| | 439 | optional_policy(` |
| | 440 | yam_run(sysadm_t, sysadm_r) |
| | 441 | ') |
| | 442 | |
| | 443 | optional_policy(` |
| | 444 | zebra_stream_connect(sysadm_t) |
| | 445 | ') |
| | 446 | |
| | 447 | ifndef(`distro_redhat',` |
| | 448 | optional_policy(` |
| | 449 | apache_role(sysadm_r, sysadm_t) |
| | 450 | ') |
| | 451 | optional_policy(` |
| | 452 | auth_role(sysadm_r, sysadm_t) |
| | 453 | ') |
| | 454 | |
| | 455 | optional_policy(` |
| | 456 | bluetooth_role(sysadm_r, sysadm_t) |
| | 457 | ') |
| | 458 | |
| | 459 | optional_policy(` |
| | 460 | cdrecord_role(sysadm_r, sysadm_t) |
| | 461 | ') |
| | 462 | |
| | 463 | optional_policy(` |
| | 464 | cron_admin_role(sysadm_r, sysadm_t) |
| | 465 | ') |
| | 466 | |
| | 467 | optional_policy(` |
| | 468 | dbus_role_template(sysadm, sysadm_r, sysadm_t) |
| | 469 | ') |
| | 470 | |
| | 471 | optional_policy(` |
| | 472 | evolution_role(sysadm_r, sysadm_t) |
| | 473 | ') |
| | 474 | |
| | 475 | optional_policy(` |
| | 476 | games_role(sysadm_r, sysadm_t) |
| | 477 | ') |
| | 478 | |
| | 479 | optional_policy(` |
| | 480 | gift_role(sysadm_r, sysadm_t) |
| | 481 | ') |
| | 482 | |
| | 483 | optional_policy(` |
| | 484 | gnome_role(sysadm_r, sysadm_t) |
| | 485 | gnome_admin_home_dir_filetrans(sysadm_t) |
| | 486 | ') |
| | 487 | |
| | 488 | optional_policy(` |
| | 489 | gpg_role(sysadm_r, sysadm_t) |
| | 490 | ') |
| | 491 | |
| | 492 | optional_policy(` |
| | 493 | irc_role(sysadm_r, sysadm_t) |
| | 494 | ') |
| | 495 | |
| | 496 | optional_policy(` |
| | 497 | java_role(sysadm_r, sysadm_t) |
| | 498 | ') |
| | 499 | |
| | 500 | optional_policy(` |
| | 501 | lockdev_role(sysadm_r, sysadm_t) |
| | 502 | ') |
| | 503 | |
| | 504 | optional_policy(` |
| | 505 | mozilla_role(sysadm_r, sysadm_t) |
| | 506 | ') |
| | 507 | |
| | 508 | optional_policy(` |
| | 509 | mplayer_role(sysadm_r, sysadm_t) |
| | 510 | ') |
| | 511 | |
| | 512 | optional_policy(` |
| | 513 | pyzor_role(sysadm_r, sysadm_t) |
| | 514 | ') |
| | 515 | |
| | 516 | optional_policy(` |
| | 517 | razor_role(sysadm_r, sysadm_t) |
| | 518 | ') |
| | 519 | |
| | 520 | optional_policy(` |
| | 521 | rssh_role(sysadm_r, sysadm_t) |
| | 522 | ') |
| | 523 | |
| | 524 | optional_policy(` |
| | 525 | spamassassin_role(sysadm_r, sysadm_t) |
| | 526 | ') |
| | 527 | |
| | 528 | optional_policy(` |
| | 529 | thunderbird_role(sysadm_r, sysadm_t) |
| | 530 | ') |
| | 531 | |
| | 532 | optional_policy(` |
| | 533 | tvtime_role(sysadm_r, sysadm_t) |
| | 534 | ') |
| | 535 | |
| | 536 | optional_policy(` |
| | 537 | uml_role(sysadm_r, sysadm_t) |
| | 538 | ') |
| | 539 | |
| | 540 | optional_policy(` |
| | 541 | userhelper_role_template(sysadm, sysadm_r, sysadm_t) |
| | 542 | ') |
| | 543 | |
| | 544 | optional_policy(` |
| | 545 | vmware_role(sysadm_r, sysadm_t) |
| | 546 | ') |
| | 547 | |
| | 548 | optional_policy(` |
| | 549 | wireshark_role(sysadm_r, sysadm_t) |
| | 550 | ') |
| | 551 | |
| | 552 | optional_policy(` |
| | 553 | xserver_role(sysadm_r, sysadm_t) |
| | 554 | ') |
| | 555 | ') |
projects / people / stevee / selinux-policy.git / blame_incremental