]> git.ipfire.org Git - people/stevee/selinux-policy.git/blame_incremental - policy/modules/roles/sysadm.te
projects / people / stevee / selinux-policy.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
Remove module for thunderbird.
[people/stevee/selinux-policy.git] / policy / modules / roles / sysadm.te
... / ...
CommitLineData
1policy_module(sysadm, 2.2.1)
2
3########################################
4#
5# Declarations
6#
7
8role sysadm_r;
9
10userdom_admin_user_template(sysadm)
11
12ifndef(`enable_mls',`
13 userdom_security_admin_template(sysadm_t, sysadm_r)
14')
15
16########################################
17#
18# Local policy
19#
20kernel_read_fs_sysctls(sysadm_t)
21
22corecmd_exec_shell(sysadm_t)
23
24domain_dontaudit_read_all_domains_state(sysadm_t)
25
26files_read_kernel_modules(sysadm_t)
27
28dev_filetrans_all_named_dev(sysadm_t)
29storage_filetrans_all_named_dev(sysadm_t)
30term_filetrans_all_named_dev(sysadm_t)
31
32mls_process_read_up(sysadm_t)
33mls_file_read_to_clearance(sysadm_t)
34mls_process_write_to_clearance(sysadm_t)
35
36storage_setattr_fixed_disk_dev(sysadm_t)
37
38ubac_process_exempt(sysadm_t)
39ubac_file_exempt(sysadm_t)
40ubac_fd_exempt(sysadm_t)
41
42application_exec(sysadm_t)
43
44init_exec(sysadm_t)
45init_exec_script_files(sysadm_t)
46init_dbus_chat(sysadm_t)
47init_script_role_transition(sysadm_r)
48
49miscfiles_filetrans_named_content(sysadm_t)
50miscfiles_read_hwdata(sysadm_t)
51
52sysnet_filetrans_named_content(sysadm_t)
53
54# Add/remove user home directories
55userdom_manage_user_home_dirs(sysadm_t)
56userdom_home_filetrans_user_home_dir(sysadm_t)
57userdom_manage_tmp_role(sysadm_r, sysadm_t)
58
59optional_policy(`
60 alsa_filetrans_named_content(sysadm_t)
61')
62
63optional_policy(`
64 ssh_filetrans_admin_home_content(sysadm_t)
65')
66
67ifdef(`direct_sysadm_daemon',`
68 optional_policy(`
69 init_run_daemon(sysadm_t, sysadm_r)
70 ')
71',`
72 ifdef(`distro_gentoo',`
73 optional_policy(`
74 seutil_init_script_run_runinit(sysadm_t, sysadm_r)
75 ')
76 ')
77')
78
79ifndef(`enable_mls',`
80 logging_manage_audit_log(sysadm_t)
81 logging_manage_audit_config(sysadm_t)
82 logging_run_auditctl(sysadm_t, sysadm_r)
83 logging_stream_connect_syslog(sysadm_t)
84')
85
86tunable_policy(`deny_ptrace',`',`
87 domain_ptrace_all_domains(sysadm_t)
88')
89
90optional_policy(`
91 amanda_run_recover(sysadm_t, sysadm_r)
92')
93
94optional_policy(`
95 apache_run_helper(sysadm_t, sysadm_r)
96 apache_filetrans_home_content(sysadm_t)
97 #apache_run_all_scripts(sysadm_t, sysadm_r)
98 #apache_domtrans_sys_script(sysadm_t)
99')
100
101optional_policy(`
102 # cjp: why is this not apm_run_client
103 apm_domtrans_client(sysadm_t)
104')
105
106optional_policy(`
107 apt_run(sysadm_t, sysadm_r)
108')
109
110optional_policy(`
111 auditadm_role_change(sysadm_r)
112')
113
114optional_policy(`
115 backup_run(sysadm_t, sysadm_r)
116')
117
118optional_policy(`
119 bind_run_ndc(sysadm_t, sysadm_r)
120')
121
122optional_policy(`
123 bootloader_run(sysadm_t, sysadm_r)
124')
125
126optional_policy(`
127 certmonger_dbus_chat(sysadm_t)
128')
129
130optional_policy(`
131 certwatch_run(sysadm_t, sysadm_r)
132')
133
134optional_policy(`
135 clock_run(sysadm_t, sysadm_r)
136')
137
138optional_policy(`
139 clockspeed_run_cli(sysadm_t, sysadm_r)
140')
141
142optional_policy(`
143 cron_admin_role(sysadm_r, sysadm_t)
144 #cron_role(sysadm_r, sysadm_t)
145')
146
147optional_policy(`
148 consoletype_exec(sysadm_t)
149')
150
151optional_policy(`
152 daemonstools_run_start(sysadm_t, sysadm_r)
153')
154
155optional_policy(`
156 dbus_role_template(sysadm, sysadm_r, sysadm_t)
157')
158
159optional_policy(`
160 dcc_run_cdcc(sysadm_t, sysadm_r)
161 dcc_run_client(sysadm_t, sysadm_r)
162 dcc_run_dbclean(sysadm_t, sysadm_r)
163')
164
165optional_policy(`
166 ddcprobe_run(sysadm_t, sysadm_r)
167')
168
169optional_policy(`
170 devicekit_filetrans_named_content(sysadm_t)
171')
172
173optional_policy(`
174 dmesg_exec(sysadm_t)
175')
176
177optional_policy(`
178 dmidecode_run(sysadm_t, sysadm_r)
179')
180
181optional_policy(`
182 dpkg_run(sysadm_t, sysadm_r)
183')
184
185optional_policy(`
186 firstboot_run(sysadm_t, sysadm_r)
187')
188
189optional_policy(`
190 fstools_run(sysadm_t, sysadm_r)
191')
192
193optional_policy(`
194 hostname_run(sysadm_t, sysadm_r)
195')
196
197optional_policy(`
198 hadoop_role(sysadm_r, sysadm_t)
199')
200
201optional_policy(`
202 # allow system administrator to use the ipsec script to look
203 # at things (e.g., ipsec auto --status)
204 # probably should create an ipsec_admin role for this kind of thing
205 ipsec_exec_mgmt(sysadm_t)
206 ipsec_stream_connect(sysadm_t)
207 # for lsof
208 ipsec_getattr_key_sockets(sysadm_t)
209 ipsec_run_setkey(sysadm_t, sysadm_r)
210 ipsec_run_racoon(sysadm_t, sysadm_r)
211 ipsec_stream_connect_racoon(sysadm_t)
212
213 optional_policy(`
214 ipsec_mgmt_dbus_chat(sysadm_t)
215 ')
216')
217
218optional_policy(`
219 iptables_run(sysadm_t, sysadm_r)
220')
221
222optional_policy(`
223 irc_role(sysadm_r, sysadm_t)
224')
225
226optional_policy(`
227 kerberos_exec_kadmind(sysadm_t)
228 kerberos_filetrans_named_content(sysadm_t)
229')
230
231optional_policy(`
232 kudzu_run(sysadm_t, sysadm_r)
233')
234
235optional_policy(`
236 libs_run_ldconfig(sysadm_t, sysadm_r)
237')
238
239optional_policy(`
240 logrotate_run(sysadm_t, sysadm_r)
241')
242
243optional_policy(`
244 lpd_run_checkpc(sysadm_t, sysadm_r)
245 lpd_role(sysadm_r, sysadm_t)
246')
247
248optional_policy(`
249 lvm_run(sysadm_t, sysadm_r)
250')
251
252optional_policy(`
253 modutils_run_depmod(sysadm_t, sysadm_r)
254 modutils_run_insmod(sysadm_t, sysadm_r)
255 modutils_run_update_mods(sysadm_t, sysadm_r)
256 modutils_read_module_deps(sysadm_t)
257 modules_filetrans_named_content(sysadm_t)
258')
259
260optional_policy(`
261 mount_run(sysadm_t, sysadm_r)
262 mount_run_showmount(sysadm_t, sysadm_r)
263')
264
265optional_policy(`
266 mta_role(sysadm_r, sysadm_t)
267 # this is defined in userdom_common_user_template
268 #mta_filetrans_home_content(sysadm_t)
269 mta_filetrans_admin_home_content(sysadm_t)
270')
271
272optional_policy(`
273 munin_stream_connect(sysadm_t)
274')
275
276optional_policy(`
277 mysql_stream_connect(sysadm_t)
278')
279
280optional_policy(`
281 ncftool_run(sysadm_t, sysadm_r)
282')
283
284optional_policy(`
285 netutils_run(sysadm_t, sysadm_r)
286 netutils_run_ping(sysadm_t, sysadm_r)
287 netutils_run_traceroute(sysadm_t, sysadm_r)
288')
289
290optional_policy(`
291 networkmanager_filetrans_named_content(sysadm_t)
292')
293
294optional_policy(`
295 ntp_stub()
296 corenet_udp_bind_ntp_port(sysadm_t)
297')
298
299optional_policy(`
300 nx_filetrans_named_content(sysadm_t)
301')
302
303optional_policy(`
304 oav_run_update(sysadm_t, sysadm_r)
305')
306
307optional_policy(`
308 openvpn_run(sysadm_t, sysadm_r)
309')
310
311optional_policy(`
312 pcmcia_run_cardctl(sysadm_t, sysadm_r)
313')
314
315optional_policy(`
316 polipo_role(sysadm_r, sysadm_t)
317 polipo_named_filetrans_admin_cache_home_dirs(sysadm_t)
318 polipo_named_filetrans_admin_config_home_files(sysadm_t)
319')
320
321optional_policy(`
322 portage_run(sysadm_t, sysadm_r)
323 portage_run_gcc_config(sysadm_t, sysadm_r)
324')
325
326optional_policy(`
327 portmap_run_helper(sysadm_t, sysadm_r)
328')
329
330optional_policy(`
331 postfix_filetrans_named_content(sysadm_t)
332')
333
334optional_policy(`
335 prelink_run(sysadm_t, sysadm_r)
336')
337
338optional_policy(`
339 puppet_run_puppetca(sysadm_t, sysadm_r)
340')
341
342optional_policy(`
343 quota_run(sysadm_t, sysadm_r)
344')
345
346optional_policy(`
347 raid_domtrans_mdadm(sysadm_t)
348')
349
350optional_policy(`
351 rpc_domtrans_nfsd(sysadm_t)
352')
353
354optional_policy(`
355 rpm_run(sysadm_t, sysadm_r)
356 rpm_dbus_chat(sysadm_t, sysadm_r)
357')
358
359optional_policy(`
360 rsync_exec(sysadm_t)
361')
362
363optional_policy(`
364 samba_run_net(sysadm_t, sysadm_r)
365 samba_run_winbind_helper(sysadm_t, sysadm_r)
366')
367
368optional_policy(`
369 samhain_admin(sysadm_t)
370')
371
372optional_policy(`
373 screen_role_template(sysadm, sysadm_r, sysadm_t)
374')
375
376optional_policy(`
377 secadm_role_change(sysadm_r)
378')
379
380optional_policy(`
381 setroubleshoot_stream_connect(sysadm_t)
382 setroubleshoot_dbus_chat(sysadm_t)
383 setroubleshoot_dbus_chat_fixit(sysadm_t)
384')
385
386optional_policy(`
387 seutil_run_setfiles(sysadm_t, sysadm_r)
388 seutil_run_runinit(sysadm_t, sysadm_r)
389')
390
391optional_policy(`
392 shutdown_run(sysadm_t, sysadm_r)
393')
394
395optional_policy(`
396 ssh_role_template(sysadm, sysadm_r, sysadm_t)
397')
398
399optional_policy(`
400 staff_role_change(sysadm_r)
401')
402
403optional_policy(`
404 su_role_template(sysadm, sysadm_r, sysadm_t)
405')
406
407optional_policy(`
408 sudo_role_template(sysadm, sysadm_r, sysadm_t)
409')
410
411optional_policy(`
412 sysnet_run_ifconfig(sysadm_t, sysadm_r)
413 sysnet_run_dhcpc(sysadm_t, sysadm_r)
414')
415
416optional_policy(`
417 systemd_passwd_agent_run(sysadm_t, sysadm_r)
418 systemd_config_all_services(sysadm_t)
419 systemd_manage_all_unit_files(sysadm_t)
420 systemd_manage_all_unit_lnk_files(sysadm_t)
421')
422
423optional_policy(`
424 tripwire_run_siggen(sysadm_t, sysadm_r)
425 tripwire_run_tripwire(sysadm_t, sysadm_r)
426 tripwire_run_twadmin(sysadm_t, sysadm_r)
427 tripwire_run_twprint(sysadm_t, sysadm_r)
428')
429
430optional_policy(`
431 tzdata_domtrans(sysadm_t)
432')
433
434optional_policy(`
435 unconfined_domtrans(sysadm_t)
436')
437
438optional_policy(`
439 udev_run(sysadm_t, sysadm_r)
440')
441
442optional_policy(`
443 unprivuser_role_change(sysadm_r)
444')
445
446optional_policy(`
447 usbmodules_run(sysadm_t, sysadm_r)
448')
449
450optional_policy(`
451 usermanage_run_admin_passwd(sysadm_t, sysadm_r)
452 usermanage_run_groupadd(sysadm_t, sysadm_r)
453 usermanage_run_useradd(sysadm_t, sysadm_r)
454')
455
456optional_policy(`
457 virt_stream_connect(sysadm_t)
458 virt_filetrans_home_content(sysadm_t)
459')
460
461optional_policy(`
462 vlock_run(sysadm_t, sysadm_r)
463')
464
465optional_policy(`
466 vpn_run(sysadm_t, sysadm_r)
467')
468
469optional_policy(`
470 webalizer_run(sysadm_t, sysadm_r)
471')
472
473optional_policy(`
474 xserver_role(sysadm_r, sysadm_t)
475')
476
477optional_policy(`
478 yam_run(sysadm_t, sysadm_r)
479')
480
481optional_policy(`
482 zebra_stream_connect(sysadm_t)
483')
484
485ifndef(`distro_redhat',`
486 optional_policy(`
487 apache_role(sysadm_r, sysadm_t)
488 ')
489 optional_policy(`
490 auth_role(sysadm_r, sysadm_t)
491 ')
492
493 optional_policy(`
494 bluetooth_role(sysadm_r, sysadm_t)
495 ')
496
497 optional_policy(`
498 cdrecord_role(sysadm_r, sysadm_t)
499 ')
500
501 optional_policy(`
502 dbus_role_template(sysadm, sysadm_r, sysadm_t)
503 ')
504
505 optional_policy(`
506 gnome_role(sysadm_r, sysadm_t)
507 gnome_filetrans_admin_home_content(sysadm_t)
508 ')
509
510 optional_policy(`
511 gpg_role(sysadm_r, sysadm_t)
512 ')
513
514 optional_policy(`
515 java_role(sysadm_r, sysadm_t)
516 ')
517
518 optional_policy(`
519 lockdev_role(sysadm_r, sysadm_t)
520 ')
521
522 optional_policy(`
523 mock_admin(sysadm_t)
524 ')
525
526 optional_policy(`
527 mplayer_role(sysadm_r, sysadm_t)
528 ')
529
530 optional_policy(`
531 pyzor_role(sysadm_r, sysadm_t)
532 ')
533
534 optional_policy(`
535 razor_role(sysadm_r, sysadm_t)
536 ')
537
538 optional_policy(`
539 rssh_role(sysadm_r, sysadm_t)
540 ')
541
542 optional_policy(`
543 spamassassin_role(sysadm_r, sysadm_t)
544 ')
545
546 optional_policy(`
547 tvtime_role(sysadm_r, sysadm_t)
548 ')
549
550 optional_policy(`
551 uml_role(sysadm_r, sysadm_t)
552 ')
553
554 optional_policy(`
555 userhelper_role_template(sysadm, sysadm_r, sysadm_t)
556 ')
557
558 optional_policy(`
559 vmware_role(sysadm_r, sysadm_t)
560 ')
561
562 optional_policy(`
563 wireshark_role(sysadm_r, sysadm_t)
564 ')
565
566 optional_policy(`
567 xserver_role(sysadm_r, sysadm_t)
568 ')
569')
The IPFire selinux policy.