]>
Commit | Line | Data |
---|---|---|
1 | policy_module(sysadm, 2.2.1) | |
2 | ||
3 | ######################################## | |
4 | # | |
5 | # Declarations | |
6 | # | |
7 | ||
8 | role sysadm_r; | |
9 | ||
10 | userdom_admin_user_template(sysadm) | |
11 | ||
12 | ifndef(`enable_mls',` | |
13 | userdom_security_admin_template(sysadm_t, sysadm_r) | |
14 | ') | |
15 | ||
16 | ######################################## | |
17 | # | |
18 | # Local policy | |
19 | # | |
20 | kernel_read_fs_sysctls(sysadm_t) | |
21 | ||
22 | corecmd_exec_shell(sysadm_t) | |
23 | ||
24 | domain_dontaudit_read_all_domains_state(sysadm_t) | |
25 | ||
26 | files_read_kernel_modules(sysadm_t) | |
27 | ||
28 | dev_filetrans_all_named_dev(sysadm_t) | |
29 | storage_filetrans_all_named_dev(sysadm_t) | |
30 | term_filetrans_all_named_dev(sysadm_t) | |
31 | ||
32 | mls_process_read_up(sysadm_t) | |
33 | mls_file_read_to_clearance(sysadm_t) | |
34 | mls_process_write_to_clearance(sysadm_t) | |
35 | ||
36 | storage_setattr_fixed_disk_dev(sysadm_t) | |
37 | ||
38 | ubac_process_exempt(sysadm_t) | |
39 | ubac_file_exempt(sysadm_t) | |
40 | ubac_fd_exempt(sysadm_t) | |
41 | ||
42 | application_exec(sysadm_t) | |
43 | ||
44 | init_exec(sysadm_t) | |
45 | init_exec_script_files(sysadm_t) | |
46 | init_dbus_chat(sysadm_t) | |
47 | init_script_role_transition(sysadm_r) | |
48 | ||
49 | miscfiles_filetrans_named_content(sysadm_t) | |
50 | miscfiles_read_hwdata(sysadm_t) | |
51 | ||
52 | sysnet_filetrans_named_content(sysadm_t) | |
53 | ||
54 | # Add/remove user home directories | |
55 | userdom_manage_user_home_dirs(sysadm_t) | |
56 | userdom_home_filetrans_user_home_dir(sysadm_t) | |
57 | userdom_manage_tmp_role(sysadm_r, sysadm_t) | |
58 | ||
59 | optional_policy(` | |
60 | alsa_filetrans_named_content(sysadm_t) | |
61 | ') | |
62 | ||
63 | optional_policy(` | |
64 | ssh_filetrans_admin_home_content(sysadm_t) | |
65 | ') | |
66 | ||
67 | ifdef(`direct_sysadm_daemon',` | |
68 | optional_policy(` | |
69 | init_run_daemon(sysadm_t, sysadm_r) | |
70 | ') | |
71 | ',` | |
72 | ifdef(`distro_gentoo',` | |
73 | optional_policy(` | |
74 | seutil_init_script_run_runinit(sysadm_t, sysadm_r) | |
75 | ') | |
76 | ') | |
77 | ') | |
78 | ||
79 | ifndef(`enable_mls',` | |
80 | logging_manage_audit_log(sysadm_t) | |
81 | logging_manage_audit_config(sysadm_t) | |
82 | logging_run_auditctl(sysadm_t, sysadm_r) | |
83 | logging_stream_connect_syslog(sysadm_t) | |
84 | ') | |
85 | ||
86 | tunable_policy(`deny_ptrace',`',` | |
87 | domain_ptrace_all_domains(sysadm_t) | |
88 | ') | |
89 | ||
90 | optional_policy(` | |
91 | amanda_run_recover(sysadm_t, sysadm_r) | |
92 | ') | |
93 | ||
94 | optional_policy(` | |
95 | apache_run_helper(sysadm_t, sysadm_r) | |
96 | apache_filetrans_home_content(sysadm_t) | |
97 | #apache_run_all_scripts(sysadm_t, sysadm_r) | |
98 | #apache_domtrans_sys_script(sysadm_t) | |
99 | ') | |
100 | ||
101 | optional_policy(` | |
102 | # cjp: why is this not apm_run_client | |
103 | apm_domtrans_client(sysadm_t) | |
104 | ') | |
105 | ||
106 | optional_policy(` | |
107 | apt_run(sysadm_t, sysadm_r) | |
108 | ') | |
109 | ||
110 | optional_policy(` | |
111 | auditadm_role_change(sysadm_r) | |
112 | ') | |
113 | ||
114 | optional_policy(` | |
115 | backup_run(sysadm_t, sysadm_r) | |
116 | ') | |
117 | ||
118 | optional_policy(` | |
119 | bind_run_ndc(sysadm_t, sysadm_r) | |
120 | ') | |
121 | ||
122 | optional_policy(` | |
123 | bootloader_run(sysadm_t, sysadm_r) | |
124 | ') | |
125 | ||
126 | optional_policy(` | |
127 | certmonger_dbus_chat(sysadm_t) | |
128 | ') | |
129 | ||
130 | optional_policy(` | |
131 | certwatch_run(sysadm_t, sysadm_r) | |
132 | ') | |
133 | ||
134 | optional_policy(` | |
135 | clock_run(sysadm_t, sysadm_r) | |
136 | ') | |
137 | ||
138 | optional_policy(` | |
139 | clockspeed_run_cli(sysadm_t, sysadm_r) | |
140 | ') | |
141 | ||
142 | optional_policy(` | |
143 | cron_admin_role(sysadm_r, sysadm_t) | |
144 | #cron_role(sysadm_r, sysadm_t) | |
145 | ') | |
146 | ||
147 | optional_policy(` | |
148 | consoletype_exec(sysadm_t) | |
149 | ') | |
150 | ||
151 | optional_policy(` | |
152 | daemonstools_run_start(sysadm_t, sysadm_r) | |
153 | ') | |
154 | ||
155 | optional_policy(` | |
156 | dbus_role_template(sysadm, sysadm_r, sysadm_t) | |
157 | ') | |
158 | ||
159 | optional_policy(` | |
160 | dcc_run_cdcc(sysadm_t, sysadm_r) | |
161 | dcc_run_client(sysadm_t, sysadm_r) | |
162 | dcc_run_dbclean(sysadm_t, sysadm_r) | |
163 | ') | |
164 | ||
165 | optional_policy(` | |
166 | ddcprobe_run(sysadm_t, sysadm_r) | |
167 | ') | |
168 | ||
169 | optional_policy(` | |
170 | devicekit_filetrans_named_content(sysadm_t) | |
171 | ') | |
172 | ||
173 | optional_policy(` | |
174 | dmesg_exec(sysadm_t) | |
175 | ') | |
176 | ||
177 | optional_policy(` | |
178 | dmidecode_run(sysadm_t, sysadm_r) | |
179 | ') | |
180 | ||
181 | optional_policy(` | |
182 | dpkg_run(sysadm_t, sysadm_r) | |
183 | ') | |
184 | ||
185 | optional_policy(` | |
186 | firstboot_run(sysadm_t, sysadm_r) | |
187 | ') | |
188 | ||
189 | optional_policy(` | |
190 | fstools_run(sysadm_t, sysadm_r) | |
191 | ') | |
192 | ||
193 | optional_policy(` | |
194 | hostname_run(sysadm_t, sysadm_r) | |
195 | ') | |
196 | ||
197 | optional_policy(` | |
198 | hadoop_role(sysadm_r, sysadm_t) | |
199 | ') | |
200 | ||
201 | optional_policy(` | |
202 | # allow system administrator to use the ipsec script to look | |
203 | # at things (e.g., ipsec auto --status) | |
204 | # probably should create an ipsec_admin role for this kind of thing | |
205 | ipsec_exec_mgmt(sysadm_t) | |
206 | ipsec_stream_connect(sysadm_t) | |
207 | # for lsof | |
208 | ipsec_getattr_key_sockets(sysadm_t) | |
209 | ipsec_run_setkey(sysadm_t, sysadm_r) | |
210 | ipsec_run_racoon(sysadm_t, sysadm_r) | |
211 | ipsec_stream_connect_racoon(sysadm_t) | |
212 | ||
213 | optional_policy(` | |
214 | ipsec_mgmt_dbus_chat(sysadm_t) | |
215 | ') | |
216 | ') | |
217 | ||
218 | optional_policy(` | |
219 | iptables_run(sysadm_t, sysadm_r) | |
220 | ') | |
221 | ||
222 | optional_policy(` | |
223 | irc_role(sysadm_r, sysadm_t) | |
224 | ') | |
225 | ||
226 | optional_policy(` | |
227 | kerberos_exec_kadmind(sysadm_t) | |
228 | kerberos_filetrans_named_content(sysadm_t) | |
229 | ') | |
230 | ||
231 | optional_policy(` | |
232 | kudzu_run(sysadm_t, sysadm_r) | |
233 | ') | |
234 | ||
235 | optional_policy(` | |
236 | libs_run_ldconfig(sysadm_t, sysadm_r) | |
237 | ') | |
238 | ||
239 | optional_policy(` | |
240 | logrotate_run(sysadm_t, sysadm_r) | |
241 | ') | |
242 | ||
243 | optional_policy(` | |
244 | lpd_run_checkpc(sysadm_t, sysadm_r) | |
245 | lpd_role(sysadm_r, sysadm_t) | |
246 | ') | |
247 | ||
248 | optional_policy(` | |
249 | lvm_run(sysadm_t, sysadm_r) | |
250 | ') | |
251 | ||
252 | optional_policy(` | |
253 | modutils_run_depmod(sysadm_t, sysadm_r) | |
254 | modutils_run_insmod(sysadm_t, sysadm_r) | |
255 | modutils_run_update_mods(sysadm_t, sysadm_r) | |
256 | modutils_read_module_deps(sysadm_t) | |
257 | modules_filetrans_named_content(sysadm_t) | |
258 | ') | |
259 | ||
260 | optional_policy(` | |
261 | mount_run(sysadm_t, sysadm_r) | |
262 | mount_run_showmount(sysadm_t, sysadm_r) | |
263 | ') | |
264 | ||
265 | optional_policy(` | |
266 | mta_role(sysadm_r, sysadm_t) | |
267 | # this is defined in userdom_common_user_template | |
268 | #mta_filetrans_home_content(sysadm_t) | |
269 | mta_filetrans_admin_home_content(sysadm_t) | |
270 | ') | |
271 | ||
272 | optional_policy(` | |
273 | munin_stream_connect(sysadm_t) | |
274 | ') | |
275 | ||
276 | optional_policy(` | |
277 | mysql_stream_connect(sysadm_t) | |
278 | ') | |
279 | ||
280 | optional_policy(` | |
281 | ncftool_run(sysadm_t, sysadm_r) | |
282 | ') | |
283 | ||
284 | optional_policy(` | |
285 | netutils_run(sysadm_t, sysadm_r) | |
286 | netutils_run_ping(sysadm_t, sysadm_r) | |
287 | netutils_run_traceroute(sysadm_t, sysadm_r) | |
288 | ') | |
289 | ||
290 | optional_policy(` | |
291 | networkmanager_filetrans_named_content(sysadm_t) | |
292 | ') | |
293 | ||
294 | optional_policy(` | |
295 | ntp_stub() | |
296 | corenet_udp_bind_ntp_port(sysadm_t) | |
297 | ') | |
298 | ||
299 | optional_policy(` | |
300 | nx_filetrans_named_content(sysadm_t) | |
301 | ') | |
302 | ||
303 | optional_policy(` | |
304 | oav_run_update(sysadm_t, sysadm_r) | |
305 | ') | |
306 | ||
307 | optional_policy(` | |
308 | openvpn_run(sysadm_t, sysadm_r) | |
309 | ') | |
310 | ||
311 | optional_policy(` | |
312 | pcmcia_run_cardctl(sysadm_t, sysadm_r) | |
313 | ') | |
314 | ||
315 | optional_policy(` | |
316 | polipo_role(sysadm_r, sysadm_t) | |
317 | polipo_named_filetrans_admin_cache_home_dirs(sysadm_t) | |
318 | polipo_named_filetrans_admin_config_home_files(sysadm_t) | |
319 | ') | |
320 | ||
321 | optional_policy(` | |
322 | portage_run(sysadm_t, sysadm_r) | |
323 | portage_run_gcc_config(sysadm_t, sysadm_r) | |
324 | ') | |
325 | ||
326 | optional_policy(` | |
327 | portmap_run_helper(sysadm_t, sysadm_r) | |
328 | ') | |
329 | ||
330 | optional_policy(` | |
331 | postfix_filetrans_named_content(sysadm_t) | |
332 | ') | |
333 | ||
334 | optional_policy(` | |
335 | prelink_run(sysadm_t, sysadm_r) | |
336 | ') | |
337 | ||
338 | optional_policy(` | |
339 | puppet_run_puppetca(sysadm_t, sysadm_r) | |
340 | ') | |
341 | ||
342 | optional_policy(` | |
343 | quota_run(sysadm_t, sysadm_r) | |
344 | ') | |
345 | ||
346 | optional_policy(` | |
347 | raid_domtrans_mdadm(sysadm_t) | |
348 | ') | |
349 | ||
350 | optional_policy(` | |
351 | rpc_domtrans_nfsd(sysadm_t) | |
352 | ') | |
353 | ||
354 | optional_policy(` | |
355 | rpm_run(sysadm_t, sysadm_r) | |
356 | rpm_dbus_chat(sysadm_t, sysadm_r) | |
357 | ') | |
358 | ||
359 | optional_policy(` | |
360 | rsync_exec(sysadm_t) | |
361 | ') | |
362 | ||
363 | optional_policy(` | |
364 | samba_run_net(sysadm_t, sysadm_r) | |
365 | samba_run_winbind_helper(sysadm_t, sysadm_r) | |
366 | ') | |
367 | ||
368 | optional_policy(` | |
369 | samhain_admin(sysadm_t) | |
370 | ') | |
371 | ||
372 | optional_policy(` | |
373 | screen_role_template(sysadm, sysadm_r, sysadm_t) | |
374 | ') | |
375 | ||
376 | optional_policy(` | |
377 | secadm_role_change(sysadm_r) | |
378 | ') | |
379 | ||
380 | optional_policy(` | |
381 | setroubleshoot_stream_connect(sysadm_t) | |
382 | setroubleshoot_dbus_chat(sysadm_t) | |
383 | setroubleshoot_dbus_chat_fixit(sysadm_t) | |
384 | ') | |
385 | ||
386 | optional_policy(` | |
387 | seutil_run_setfiles(sysadm_t, sysadm_r) | |
388 | seutil_run_runinit(sysadm_t, sysadm_r) | |
389 | ') | |
390 | ||
391 | optional_policy(` | |
392 | shutdown_run(sysadm_t, sysadm_r) | |
393 | ') | |
394 | ||
395 | optional_policy(` | |
396 | ssh_role_template(sysadm, sysadm_r, sysadm_t) | |
397 | ') | |
398 | ||
399 | optional_policy(` | |
400 | staff_role_change(sysadm_r) | |
401 | ') | |
402 | ||
403 | optional_policy(` | |
404 | su_role_template(sysadm, sysadm_r, sysadm_t) | |
405 | ') | |
406 | ||
407 | optional_policy(` | |
408 | sudo_role_template(sysadm, sysadm_r, sysadm_t) | |
409 | ') | |
410 | ||
411 | optional_policy(` | |
412 | sysnet_run_ifconfig(sysadm_t, sysadm_r) | |
413 | sysnet_run_dhcpc(sysadm_t, sysadm_r) | |
414 | ') | |
415 | ||
416 | optional_policy(` | |
417 | systemd_passwd_agent_run(sysadm_t, sysadm_r) | |
418 | systemd_config_all_services(sysadm_t) | |
419 | systemd_manage_all_unit_files(sysadm_t) | |
420 | systemd_manage_all_unit_lnk_files(sysadm_t) | |
421 | ') | |
422 | ||
423 | optional_policy(` | |
424 | tripwire_run_siggen(sysadm_t, sysadm_r) | |
425 | tripwire_run_tripwire(sysadm_t, sysadm_r) | |
426 | tripwire_run_twadmin(sysadm_t, sysadm_r) | |
427 | tripwire_run_twprint(sysadm_t, sysadm_r) | |
428 | ') | |
429 | ||
430 | optional_policy(` | |
431 | tzdata_domtrans(sysadm_t) | |
432 | ') | |
433 | ||
434 | optional_policy(` | |
435 | unconfined_domtrans(sysadm_t) | |
436 | ') | |
437 | ||
438 | optional_policy(` | |
439 | udev_run(sysadm_t, sysadm_r) | |
440 | ') | |
441 | ||
442 | optional_policy(` | |
443 | unprivuser_role_change(sysadm_r) | |
444 | ') | |
445 | ||
446 | optional_policy(` | |
447 | usbmodules_run(sysadm_t, sysadm_r) | |
448 | ') | |
449 | ||
450 | optional_policy(` | |
451 | usermanage_run_admin_passwd(sysadm_t, sysadm_r) | |
452 | usermanage_run_groupadd(sysadm_t, sysadm_r) | |
453 | usermanage_run_useradd(sysadm_t, sysadm_r) | |
454 | ') | |
455 | ||
456 | optional_policy(` | |
457 | virt_stream_connect(sysadm_t) | |
458 | virt_filetrans_home_content(sysadm_t) | |
459 | ') | |
460 | ||
461 | optional_policy(` | |
462 | vlock_run(sysadm_t, sysadm_r) | |
463 | ') | |
464 | ||
465 | optional_policy(` | |
466 | vpn_run(sysadm_t, sysadm_r) | |
467 | ') | |
468 | ||
469 | optional_policy(` | |
470 | webalizer_run(sysadm_t, sysadm_r) | |
471 | ') | |
472 | ||
473 | optional_policy(` | |
474 | xserver_role(sysadm_r, sysadm_t) | |
475 | ') | |
476 | ||
477 | optional_policy(` | |
478 | yam_run(sysadm_t, sysadm_r) | |
479 | ') | |
480 | ||
481 | optional_policy(` | |
482 | zebra_stream_connect(sysadm_t) | |
483 | ') | |
484 | ||
485 | ifndef(`distro_redhat',` | |
486 | optional_policy(` | |
487 | apache_role(sysadm_r, sysadm_t) | |
488 | ') | |
489 | optional_policy(` | |
490 | auth_role(sysadm_r, sysadm_t) | |
491 | ') | |
492 | ||
493 | optional_policy(` | |
494 | bluetooth_role(sysadm_r, sysadm_t) | |
495 | ') | |
496 | ||
497 | optional_policy(` | |
498 | cdrecord_role(sysadm_r, sysadm_t) | |
499 | ') | |
500 | ||
501 | optional_policy(` | |
502 | dbus_role_template(sysadm, sysadm_r, sysadm_t) | |
503 | ') | |
504 | ||
505 | optional_policy(` | |
506 | gnome_role(sysadm_r, sysadm_t) | |
507 | gnome_filetrans_admin_home_content(sysadm_t) | |
508 | ') | |
509 | ||
510 | optional_policy(` | |
511 | gpg_role(sysadm_r, sysadm_t) | |
512 | ') | |
513 | ||
514 | optional_policy(` | |
515 | java_role(sysadm_r, sysadm_t) | |
516 | ') | |
517 | ||
518 | optional_policy(` | |
519 | lockdev_role(sysadm_r, sysadm_t) | |
520 | ') | |
521 | ||
522 | optional_policy(` | |
523 | mock_admin(sysadm_t) | |
524 | ') | |
525 | ||
526 | optional_policy(` | |
527 | mplayer_role(sysadm_r, sysadm_t) | |
528 | ') | |
529 | ||
530 | optional_policy(` | |
531 | pyzor_role(sysadm_r, sysadm_t) | |
532 | ') | |
533 | ||
534 | optional_policy(` | |
535 | razor_role(sysadm_r, sysadm_t) | |
536 | ') | |
537 | ||
538 | optional_policy(` | |
539 | rssh_role(sysadm_r, sysadm_t) | |
540 | ') | |
541 | ||
542 | optional_policy(` | |
543 | spamassassin_role(sysadm_r, sysadm_t) | |
544 | ') | |
545 | ||
546 | optional_policy(` | |
547 | tvtime_role(sysadm_r, sysadm_t) | |
548 | ') | |
549 | ||
550 | optional_policy(` | |
551 | uml_role(sysadm_r, sysadm_t) | |
552 | ') | |
553 | ||
554 | optional_policy(` | |
555 | userhelper_role_template(sysadm, sysadm_r, sysadm_t) | |
556 | ') | |
557 | ||
558 | optional_policy(` | |
559 | vmware_role(sysadm_r, sysadm_t) | |
560 | ') | |
561 | ||
562 | optional_policy(` | |
563 | wireshark_role(sysadm_r, sysadm_t) | |
564 | ') | |
565 | ||
566 | optional_policy(` | |
567 | xserver_role(sysadm_r, sysadm_t) | |
568 | ') | |
569 | ') |