]>
Commit | Line | Data |
---|---|---|
1 | policy_module(sysadm, 2.2.0) | |
2 | ||
3 | ######################################## | |
4 | # | |
5 | # Declarations | |
6 | # | |
7 | ||
8 | ## <desc> | |
9 | ## <p> | |
10 | ## Allow sysadm to debug or ptrace all processes. | |
11 | ## </p> | |
12 | ## </desc> | |
13 | gen_tunable(allow_ptrace, false) | |
14 | ||
15 | role sysadm_r; | |
16 | ||
17 | userdom_admin_user_template(sysadm) | |
18 | ||
19 | ifndef(`enable_mls',` | |
20 | userdom_security_admin_template(sysadm_t, sysadm_r) | |
21 | ') | |
22 | ||
23 | ######################################## | |
24 | # | |
25 | # Local policy | |
26 | # | |
27 | kernel_read_fs_sysctls(sysadm_t) | |
28 | ||
29 | corecmd_exec_shell(sysadm_t) | |
30 | ||
31 | domain_dontaudit_read_all_domains_state(sysadm_t) | |
32 | ||
33 | files_read_kernel_modules(sysadm_t) | |
34 | ||
35 | dev_filetrans_all_named_dev(sysadm_t) | |
36 | storage_filetrans_all_named_dev(sysadm_t) | |
37 | term_filetrans_all_named_dev(sysadm_t) | |
38 | ||
39 | mls_process_read_up(sysadm_t) | |
40 | mls_file_read_to_clearance(sysadm_t) | |
41 | mls_process_write_to_clearance(sysadm_t) | |
42 | ||
43 | storage_setattr_fixed_disk_dev(sysadm_t) | |
44 | ||
45 | ubac_process_exempt(sysadm_t) | |
46 | ubac_file_exempt(sysadm_t) | |
47 | ubac_fd_exempt(sysadm_t) | |
48 | ||
49 | application_exec(sysadm_t) | |
50 | ||
51 | init_exec(sysadm_t) | |
52 | init_exec_script_files(sysadm_t) | |
53 | init_dbus_chat(sysadm_t) | |
54 | init_script_role_transition(sysadm_r) | |
55 | ||
56 | miscfiles_read_hwdata(sysadm_t) | |
57 | ||
58 | sysnet_etc_filetrans_config(sysadm_t, resolv.conf) | |
59 | sysnet_etc_filetrans_config(sysadm_t, denyhosts) | |
60 | sysnet_etc_filetrans_config(sysadm_t, hosts) | |
61 | sysnet_etc_filetrans_config(sysadm_t, ethers) | |
62 | sysnet_etc_filetrans_config(sysadm_t, yp.conf) | |
63 | ||
64 | # Add/remove user home directories | |
65 | userdom_manage_user_home_dirs(sysadm_t) | |
66 | userdom_home_filetrans_user_home_dir(sysadm_t) | |
67 | userdom_manage_user_tmp_dirs(sysadm_t) | |
68 | userdom_manage_user_tmp_files(sysadm_t) | |
69 | userdom_manage_user_tmp_symlinks(sysadm_t) | |
70 | userdom_manage_user_tmp_chr_files(sysadm_t) | |
71 | userdom_manage_user_tmp_blk_files(sysadm_t) | |
72 | ||
73 | optional_policy(` | |
74 | ssh_admin_home_dir_filetrans(sysadm_t) | |
75 | ') | |
76 | ||
77 | ifdef(`direct_sysadm_daemon',` | |
78 | optional_policy(` | |
79 | init_run_daemon(sysadm_t, sysadm_r) | |
80 | ') | |
81 | ',` | |
82 | ifdef(`distro_gentoo',` | |
83 | optional_policy(` | |
84 | seutil_init_script_run_runinit(sysadm_t, sysadm_r) | |
85 | ') | |
86 | ') | |
87 | ') | |
88 | ||
89 | ifndef(`enable_mls',` | |
90 | logging_manage_audit_log(sysadm_t) | |
91 | logging_manage_audit_config(sysadm_t) | |
92 | logging_run_auditctl(sysadm_t, sysadm_r) | |
93 | logging_stream_connect_syslog(sysadm_t) | |
94 | ') | |
95 | ||
96 | tunable_policy(`allow_ptrace',` | |
97 | domain_ptrace_all_domains(sysadm_t) | |
98 | ') | |
99 | ||
100 | optional_policy(` | |
101 | amanda_run_recover(sysadm_t, sysadm_r) | |
102 | ') | |
103 | ||
104 | optional_policy(` | |
105 | apache_run_helper(sysadm_t, sysadm_r) | |
106 | apache_filetrans_home_content(sysadm_t) | |
107 | #apache_run_all_scripts(sysadm_t, sysadm_r) | |
108 | #apache_domtrans_sys_script(sysadm_t) | |
109 | ') | |
110 | ||
111 | optional_policy(` | |
112 | # cjp: why is this not apm_run_client | |
113 | apm_domtrans_client(sysadm_t) | |
114 | ') | |
115 | ||
116 | optional_policy(` | |
117 | apt_run(sysadm_t, sysadm_r) | |
118 | ') | |
119 | ||
120 | optional_policy(` | |
121 | auditadm_role_change(sysadm_r) | |
122 | ') | |
123 | ||
124 | optional_policy(` | |
125 | backup_run(sysadm_t, sysadm_r) | |
126 | ') | |
127 | ||
128 | optional_policy(` | |
129 | bind_run_ndc(sysadm_t, sysadm_r) | |
130 | ') | |
131 | ||
132 | optional_policy(` | |
133 | bootloader_run(sysadm_t, sysadm_r) | |
134 | ') | |
135 | ||
136 | optional_policy(` | |
137 | certmonger_dbus_chat(sysadm_t) | |
138 | ') | |
139 | ||
140 | optional_policy(` | |
141 | certwatch_run(sysadm_t, sysadm_r) | |
142 | ') | |
143 | ||
144 | optional_policy(` | |
145 | clock_run(sysadm_t, sysadm_r) | |
146 | ') | |
147 | ||
148 | optional_policy(` | |
149 | clockspeed_run_cli(sysadm_t, sysadm_r) | |
150 | ') | |
151 | ||
152 | optional_policy(` | |
153 | consoletype_run(sysadm_t, sysadm_r) | |
154 | ') | |
155 | ||
156 | optional_policy(` | |
157 | daemonstools_run_start(sysadm_t, sysadm_r) | |
158 | ') | |
159 | ||
160 | optional_policy(` | |
161 | dcc_run_cdcc(sysadm_t, sysadm_r) | |
162 | dcc_run_client(sysadm_t, sysadm_r) | |
163 | dcc_run_dbclean(sysadm_t, sysadm_r) | |
164 | ') | |
165 | ||
166 | optional_policy(` | |
167 | dbus_role_template(sysadm, sysadm_r, sysadm_t) | |
168 | ') | |
169 | ||
170 | optional_policy(` | |
171 | ddcprobe_run(sysadm_t, sysadm_r) | |
172 | ') | |
173 | ||
174 | optional_policy(` | |
175 | dmesg_exec(sysadm_t) | |
176 | ') | |
177 | ||
178 | optional_policy(` | |
179 | dmidecode_run(sysadm_t, sysadm_r) | |
180 | ') | |
181 | ||
182 | optional_policy(` | |
183 | dpkg_run(sysadm_t, sysadm_r) | |
184 | ') | |
185 | ||
186 | optional_policy(` | |
187 | firstboot_run(sysadm_t, sysadm_r) | |
188 | ') | |
189 | ||
190 | optional_policy(` | |
191 | fstools_run(sysadm_t, sysadm_r) | |
192 | ') | |
193 | ||
194 | optional_policy(` | |
195 | hostname_run(sysadm_t, sysadm_r) | |
196 | ') | |
197 | ||
198 | optional_policy(` | |
199 | hadoop_role(sysadm_r, sysadm_t) | |
200 | ') | |
201 | ||
202 | optional_policy(` | |
203 | # allow system administrator to use the ipsec script to look | |
204 | # at things (e.g., ipsec auto --status) | |
205 | # probably should create an ipsec_admin role for this kind of thing | |
206 | ipsec_exec_mgmt(sysadm_t) | |
207 | ipsec_stream_connect(sysadm_t) | |
208 | # for lsof | |
209 | ipsec_getattr_key_sockets(sysadm_t) | |
210 | ipsec_run_setkey(sysadm_t, sysadm_r) | |
211 | ipsec_run_racoon(sysadm_t, sysadm_r) | |
212 | ipsec_stream_connect_racoon(sysadm_t) | |
213 | ||
214 | optional_policy(` | |
215 | ipsec_mgmt_dbus_chat(sysadm_t) | |
216 | ') | |
217 | ') | |
218 | ||
219 | optional_policy(` | |
220 | iptables_run(sysadm_t, sysadm_r) | |
221 | ') | |
222 | ||
223 | optional_policy(` | |
224 | kerberos_exec_kadmind(sysadm_t) | |
225 | kerberos_filetrans_named_content(sysadm_t) | |
226 | ') | |
227 | ||
228 | optional_policy(` | |
229 | kudzu_run(sysadm_t, sysadm_r) | |
230 | ') | |
231 | ||
232 | optional_policy(` | |
233 | libs_run_ldconfig(sysadm_t, sysadm_r) | |
234 | ') | |
235 | ||
236 | optional_policy(` | |
237 | logrotate_run(sysadm_t, sysadm_r) | |
238 | ') | |
239 | ||
240 | optional_policy(` | |
241 | lpd_run_checkpc(sysadm_t, sysadm_r) | |
242 | lpd_role(sysadm_r, sysadm_t) | |
243 | ') | |
244 | ||
245 | optional_policy(` | |
246 | lvm_run(sysadm_t, sysadm_r) | |
247 | ') | |
248 | ||
249 | optional_policy(` | |
250 | modutils_run_depmod(sysadm_t, sysadm_r) | |
251 | modutils_run_insmod(sysadm_t, sysadm_r) | |
252 | modutils_run_update_mods(sysadm_t, sysadm_r) | |
253 | modutils_read_module_deps(sysadm_t) | |
254 | ') | |
255 | ||
256 | optional_policy(` | |
257 | mount_run(sysadm_t, sysadm_r) | |
258 | mount_run_showmount(sysadm_t, sysadm_r) | |
259 | ') | |
260 | ||
261 | optional_policy(` | |
262 | mta_role(sysadm_r, sysadm_t) | |
263 | mta_filetrans_home_content(sysadm_t) | |
264 | mta_filetrans_admin_home_content(sysadm_t) | |
265 | ') | |
266 | ||
267 | optional_policy(` | |
268 | munin_stream_connect(sysadm_t) | |
269 | ') | |
270 | ||
271 | optional_policy(` | |
272 | mysql_stream_connect(sysadm_t) | |
273 | ') | |
274 | ||
275 | optional_policy(` | |
276 | ncftool_run(sysadm_t, sysadm_r) | |
277 | ') | |
278 | ||
279 | optional_policy(` | |
280 | netutils_run(sysadm_t, sysadm_r) | |
281 | netutils_run_ping(sysadm_t, sysadm_r) | |
282 | netutils_run_traceroute(sysadm_t, sysadm_r) | |
283 | ') | |
284 | ||
285 | optional_policy(` | |
286 | ntp_stub() | |
287 | corenet_udp_bind_ntp_port(sysadm_t) | |
288 | ') | |
289 | ||
290 | optional_policy(` | |
291 | oav_run_update(sysadm_t, sysadm_r) | |
292 | ') | |
293 | ||
294 | optional_policy(` | |
295 | pcmcia_run_cardctl(sysadm_t, sysadm_r) | |
296 | ') | |
297 | ||
298 | optional_policy(` | |
299 | portage_run(sysadm_t, sysadm_r) | |
300 | portage_run_gcc_config(sysadm_t, sysadm_r) | |
301 | ') | |
302 | ||
303 | optional_policy(` | |
304 | portmap_run_helper(sysadm_t, sysadm_r) | |
305 | ') | |
306 | ||
307 | optional_policy(` | |
308 | prelink_run(sysadm_t, sysadm_r) | |
309 | ') | |
310 | ||
311 | optional_policy(` | |
312 | quota_run(sysadm_t, sysadm_r) | |
313 | ') | |
314 | ||
315 | optional_policy(` | |
316 | raid_domtrans_mdadm(sysadm_t) | |
317 | ') | |
318 | ||
319 | optional_policy(` | |
320 | rpc_domtrans_nfsd(sysadm_t) | |
321 | ') | |
322 | ||
323 | optional_policy(` | |
324 | rpm_run(sysadm_t, sysadm_r) | |
325 | rpm_dbus_chat(sysadm_t, sysadm_r) | |
326 | ') | |
327 | ||
328 | ||
329 | optional_policy(` | |
330 | rsync_exec(sysadm_t) | |
331 | ') | |
332 | ||
333 | optional_policy(` | |
334 | samba_run_net(sysadm_t, sysadm_r) | |
335 | samba_run_winbind_helper(sysadm_t, sysadm_r) | |
336 | ') | |
337 | ||
338 | optional_policy(` | |
339 | samhain_admin(sysadm_t) | |
340 | ') | |
341 | ||
342 | optional_policy(` | |
343 | screen_role_template(sysadm, sysadm_r, sysadm_t) | |
344 | ') | |
345 | ||
346 | optional_policy(` | |
347 | secadm_role_change(sysadm_r) | |
348 | ') | |
349 | ||
350 | optional_policy(` | |
351 | seutil_run_setfiles(sysadm_t, sysadm_r) | |
352 | seutil_run_runinit(sysadm_t, sysadm_r) | |
353 | ') | |
354 | ||
355 | optional_policy(` | |
356 | shutdown_run(sysadm_t, sysadm_r) | |
357 | ') | |
358 | ||
359 | optional_policy(` | |
360 | ssh_role_template(sysadm, sysadm_r, sysadm_t) | |
361 | ') | |
362 | ||
363 | optional_policy(` | |
364 | staff_role_change(sysadm_r) | |
365 | ') | |
366 | ||
367 | optional_policy(` | |
368 | su_role_template(sysadm, sysadm_r, sysadm_t) | |
369 | ') | |
370 | ||
371 | optional_policy(` | |
372 | sudo_role_template(sysadm, sysadm_r, sysadm_t) | |
373 | ') | |
374 | ||
375 | optional_policy(` | |
376 | sysnet_run_ifconfig(sysadm_t, sysadm_r) | |
377 | sysnet_run_dhcpc(sysadm_t, sysadm_r) | |
378 | ') | |
379 | ||
380 | optional_policy(` | |
381 | tripwire_run_siggen(sysadm_t, sysadm_r) | |
382 | tripwire_run_tripwire(sysadm_t, sysadm_r) | |
383 | tripwire_run_twadmin(sysadm_t, sysadm_r) | |
384 | tripwire_run_twprint(sysadm_t, sysadm_r) | |
385 | ') | |
386 | ||
387 | optional_policy(` | |
388 | tzdata_domtrans(sysadm_t) | |
389 | ') | |
390 | ||
391 | optional_policy(` | |
392 | unconfined_domtrans(sysadm_t) | |
393 | ') | |
394 | ||
395 | optional_policy(` | |
396 | udev_run(sysadm_t, sysadm_r) | |
397 | ') | |
398 | ||
399 | optional_policy(` | |
400 | unprivuser_role_change(sysadm_r) | |
401 | ') | |
402 | ||
403 | optional_policy(` | |
404 | usbmodules_run(sysadm_t, sysadm_r) | |
405 | ') | |
406 | ||
407 | optional_policy(` | |
408 | usermanage_run_admin_passwd(sysadm_t, sysadm_r) | |
409 | usermanage_run_groupadd(sysadm_t, sysadm_r) | |
410 | usermanage_run_useradd(sysadm_t, sysadm_r) | |
411 | ') | |
412 | ||
413 | ||
414 | optional_policy(` | |
415 | vpn_run(sysadm_t, sysadm_r) | |
416 | ') | |
417 | ||
418 | optional_policy(` | |
419 | vpn_run(sysadm_t, sysadm_r) | |
420 | ') | |
421 | ||
422 | optional_policy(` | |
423 | webalizer_run(sysadm_t, sysadm_r) | |
424 | ') | |
425 | ||
426 | optional_policy(` | |
427 | virt_stream_connect(sysadm_t) | |
428 | virt_user_home_dir_filetrans(sysadm_t) | |
429 | ') | |
430 | ||
431 | optional_policy(` | |
432 | vlock_run(sysadm_t, sysadm_r) | |
433 | ') | |
434 | ||
435 | optional_policy(` | |
436 | xserver_role(sysadm_r, sysadm_t) | |
437 | ') | |
438 | ||
439 | optional_policy(` | |
440 | yam_run(sysadm_t, sysadm_r) | |
441 | ') | |
442 | ||
443 | optional_policy(` | |
444 | zebra_stream_connect(sysadm_t) | |
445 | ') | |
446 | ||
447 | ifndef(`distro_redhat',` | |
448 | optional_policy(` | |
449 | apache_role(sysadm_r, sysadm_t) | |
450 | ') | |
451 | optional_policy(` | |
452 | auth_role(sysadm_r, sysadm_t) | |
453 | ') | |
454 | ||
455 | optional_policy(` | |
456 | bluetooth_role(sysadm_r, sysadm_t) | |
457 | ') | |
458 | ||
459 | optional_policy(` | |
460 | cdrecord_role(sysadm_r, sysadm_t) | |
461 | ') | |
462 | ||
463 | optional_policy(` | |
464 | cron_admin_role(sysadm_r, sysadm_t) | |
465 | ') | |
466 | ||
467 | optional_policy(` | |
468 | dbus_role_template(sysadm, sysadm_r, sysadm_t) | |
469 | ') | |
470 | ||
471 | optional_policy(` | |
472 | evolution_role(sysadm_r, sysadm_t) | |
473 | ') | |
474 | ||
475 | optional_policy(` | |
476 | games_role(sysadm_r, sysadm_t) | |
477 | ') | |
478 | ||
479 | optional_policy(` | |
480 | gift_role(sysadm_r, sysadm_t) | |
481 | ') | |
482 | ||
483 | optional_policy(` | |
484 | gnome_role(sysadm_r, sysadm_t) | |
485 | gnome_admin_home_dir_filetrans(sysadm_t) | |
486 | ') | |
487 | ||
488 | optional_policy(` | |
489 | gpg_role(sysadm_r, sysadm_t) | |
490 | ') | |
491 | ||
492 | optional_policy(` | |
493 | irc_role(sysadm_r, sysadm_t) | |
494 | ') | |
495 | ||
496 | optional_policy(` | |
497 | java_role(sysadm_r, sysadm_t) | |
498 | ') | |
499 | ||
500 | optional_policy(` | |
501 | lockdev_role(sysadm_r, sysadm_t) | |
502 | ') | |
503 | ||
504 | optional_policy(` | |
505 | mozilla_role(sysadm_r, sysadm_t) | |
506 | ') | |
507 | ||
508 | optional_policy(` | |
509 | mplayer_role(sysadm_r, sysadm_t) | |
510 | ') | |
511 | ||
512 | optional_policy(` | |
513 | pyzor_role(sysadm_r, sysadm_t) | |
514 | ') | |
515 | ||
516 | optional_policy(` | |
517 | razor_role(sysadm_r, sysadm_t) | |
518 | ') | |
519 | ||
520 | optional_policy(` | |
521 | rssh_role(sysadm_r, sysadm_t) | |
522 | ') | |
523 | ||
524 | optional_policy(` | |
525 | spamassassin_role(sysadm_r, sysadm_t) | |
526 | ') | |
527 | ||
528 | optional_policy(` | |
529 | thunderbird_role(sysadm_r, sysadm_t) | |
530 | ') | |
531 | ||
532 | optional_policy(` | |
533 | tvtime_role(sysadm_r, sysadm_t) | |
534 | ') | |
535 | ||
536 | optional_policy(` | |
537 | uml_role(sysadm_r, sysadm_t) | |
538 | ') | |
539 | ||
540 | optional_policy(` | |
541 | userhelper_role_template(sysadm, sysadm_r, sysadm_t) | |
542 | ') | |
543 | ||
544 | optional_policy(` | |
545 | vmware_role(sysadm_r, sysadm_t) | |
546 | ') | |
547 | ||
548 | optional_policy(` | |
549 | wireshark_role(sysadm_r, sysadm_t) | |
550 | ') | |
551 | ||
552 | optional_policy(` | |
553 | xserver_role(sysadm_r, sysadm_t) | |
554 | ') | |
555 | ') |