policy/modules/roles/sysadm.te

   1 policy_module(sysadm, 2.1.1)
   2
   3 ########################################
   4 #
   5 # Declarations
   6 #
   7
   8 ## <desc>
   9 ## <p>
  10 ## Allow sysadm to debug or ptrace all processes.
  11 ## </p>
  12 ## </desc>
  13 gen_tunable(allow_ptrace, false)
  14
  15 role sysadm_r;
  16
  17 userdom_admin_user_template(sysadm)
  18
  19 ifndef(`enable_mls',`
  20         userdom_security_admin_template(sysadm_t, sysadm_r)
  21 ')
  22
  23 ########################################
  24 #
  25 # Local policy
  26 #
  27 kernel_read_fs_sysctls(sysadm_t)
  28
  29 corecmd_exec_shell(sysadm_t)
  30
  31 domain_dontaudit_read_all_domains_state(sysadm_t)
  32
  33 files_read_kernel_modules(sysadm_t)
  34
  35 mls_process_read_up(sysadm_t)
  36 mls_file_read_to_clearance(sysadm_t)
  37 mls_process_write_to_clearance(sysadm_t)
  38
  39 ubac_process_exempt(sysadm_t)
  40 ubac_file_exempt(sysadm_t)
  41 ubac_fd_exempt(sysadm_t)
  42
  43 application_exec(sysadm_t)
  44
  45 init_exec(sysadm_t)
  46 init_exec_script_files(sysadm_t)
  47 init_dbus_chat(sysadm_t)
  48 init_script_role_transition(sysadm_r)
  49
  50 modutils_read_module_deps(sysadm_t)
  51
  52 miscfiles_read_hwdata(sysadm_t)
  53
  54 # Add/remove user home directories
  55 userdom_manage_user_home_dirs(sysadm_t)
  56 userdom_home_filetrans_user_home_dir(sysadm_t)
  57 userdom_manage_user_tmp_dirs(sysadm_t)
  58 userdom_manage_user_tmp_files(sysadm_t)
  59 userdom_manage_user_tmp_symlinks(sysadm_t)
  60 userdom_manage_user_tmp_chr_files(sysadm_t)
  61 userdom_manage_user_tmp_blk_files(sysadm_t)
  62
  63 ifdef(`direct_sysadm_daemon',`
  64         optional_policy(`
  65                 init_run_daemon(sysadm_t, sysadm_r)
  66         ')
  67 ',`
  68         ifdef(`distro_gentoo',`
  69                 optional_policy(`
  70                         seutil_init_script_run_runinit(sysadm_t, sysadm_r)
  71                 ')
  72         ')
  73 ')
  74
  75 ifndef(`enable_mls',`
  76         logging_manage_audit_log(sysadm_t)
  77         logging_manage_audit_config(sysadm_t)
  78         logging_run_auditctl(sysadm_t, sysadm_r)
  79         logging_stream_connect_syslog(sysadm_t)
  80 ')
  81
  82 tunable_policy(`allow_ptrace',`
  83         domain_ptrace_all_domains(sysadm_t)
  84 ')
  85
  86 optional_policy(`
  87         amanda_run_recover(sysadm_t, sysadm_r)
  88 ')
  89
  90 optional_policy(`
  91         apache_run_helper(sysadm_t, sysadm_r)
  92         #apache_run_all_scripts(sysadm_t, sysadm_r)
  93         #apache_domtrans_sys_script(sysadm_t)
  94 ')
  95
  96 optional_policy(`
  97         # cjp: why is this not apm_run_client
  98         apm_domtrans_client(sysadm_t)
  99 ')
 100
 101 optional_policy(`
 102         apt_run(sysadm_t, sysadm_r)
 103 ')
 104
 105 optional_policy(`
 106         auditadm_role_change(sysadm_r)
 107 ')
 108
 109 optional_policy(`
 110         backup_run(sysadm_t, sysadm_r)
 111 ')
 112
 113 optional_policy(`
 114         bind_run_ndc(sysadm_t, sysadm_r)
 115 ')
 116
 117 optional_policy(`
 118         bootloader_run(sysadm_t, sysadm_r)
 119 ')
 120
 121 optional_policy(`
 122         certmonger_dbus_chat(sysadm_t)
 123 ')
 124
 125 optional_policy(`
 126         certwatch_run(sysadm_t, sysadm_r)
 127 ')
 128
 129 optional_policy(`
 130         clock_run(sysadm_t, sysadm_r)
 131 ')
 132
 133 optional_policy(`
 134         clockspeed_run_cli(sysadm_t, sysadm_r)
 135 ')
 136
 137 optional_policy(`
 138         consoletype_run(sysadm_t, sysadm_r)
 139 ')
 140
 141 optional_policy(`
 142     daemonstools_run_start(sysadm_t, sysadm_r)
 143 ')
 144
 145 optional_policy(`
 146         dcc_run_cdcc(sysadm_t, sysadm_r)
 147         dcc_run_client(sysadm_t, sysadm_r)
 148         dcc_run_dbclean(sysadm_t, sysadm_r)
 149 ')
 150
 151 optional_policy(`
 152         ddcprobe_run(sysadm_t, sysadm_r)
 153 ')
 154
 155 optional_policy(`
 156         dmesg_exec(sysadm_t)
 157 ')
 158
 159 optional_policy(`
 160         dmidecode_run(sysadm_t, sysadm_r)
 161 ')
 162
 163 optional_policy(`
 164         dpkg_run(sysadm_t, sysadm_r)
 165 ')
 166
 167 optional_policy(`
 168         firstboot_run(sysadm_t, sysadm_r)
 169 ')
 170
 171 optional_policy(`
 172         fstools_run(sysadm_t, sysadm_r)
 173 ')
 174
 175 optional_policy(`
 176         hostname_run(sysadm_t, sysadm_r)
 177 ')
 178
 179 optional_policy(`
 180         # allow system administrator to use the ipsec script to look
 181         # at things (e.g., ipsec auto --status)
 182         # probably should create an ipsec_admin role for this kind of thing
 183         ipsec_exec_mgmt(sysadm_t)
 184         ipsec_stream_connect(sysadm_t)
 185         # for lsof
 186         ipsec_getattr_key_sockets(sysadm_t)
 187         ipsec_run_setkey(sysadm_t, sysadm_r)
 188         ipsec_run_racoon(sysadm_t, sysadm_r)
 189         ipsec_stream_connect_racoon(sysadm_t)
 190
 191         optional_policy(`
 192                 ipsec_mgmt_dbus_chat(sysadm_t)
 193         ')
 194 ')
 195
 196 optional_policy(`
 197         iptables_run(sysadm_t, sysadm_r)
 198 ')
 199
 200 optional_policy(`
 201         kerberos_exec_kadmind(sysadm_t)
 202 ')
 203
 204 optional_policy(`
 205         kudzu_run(sysadm_t, sysadm_r)
 206 ')
 207
 208 optional_policy(`
 209         libs_run_ldconfig(sysadm_t, sysadm_r)
 210 ')
 211
 212 optional_policy(`
 213         logrotate_run(sysadm_t, sysadm_r)
 214 ')
 215
 216 optional_policy(`
 217         lpd_run_checkpc(sysadm_t, sysadm_r)
 218         lpd_role(sysadm_r, sysadm_t)
 219 ')
 220
 221 optional_policy(`
 222         lvm_run(sysadm_t, sysadm_r)
 223 ')
 224
 225 optional_policy(`
 226         modutils_run_depmod(sysadm_t, sysadm_r)
 227         modutils_run_insmod(sysadm_t, sysadm_r)
 228         modutils_run_update_mods(sysadm_t, sysadm_r)
 229 ')
 230
 231 optional_policy(`
 232         mount_run(sysadm_t, sysadm_r)
 233         mount_run_showmount(sysadm_t, sysadm_r)
 234 ')
 235
 236 optional_policy(`
 237         mta_role(sysadm_r, sysadm_t)
 238 ')
 239
 240 optional_policy(`
 241         munin_stream_connect(sysadm_t)
 242 ')
 243
 244 optional_policy(`
 245         mysql_stream_connect(sysadm_t)
 246 ')
 247
 248 optional_policy(`
 249         ncftool_run(sysadm_t, sysadm_r)
 250 ')
 251
 252 optional_policy(`
 253         netutils_run(sysadm_t, sysadm_r)
 254         netutils_run_ping(sysadm_t, sysadm_r)
 255         netutils_run_traceroute(sysadm_t, sysadm_r)
 256 ')
 257
 258 optional_policy(`
 259         ntp_stub()
 260         corenet_udp_bind_ntp_port(sysadm_t)
 261 ')
 262
 263 optional_policy(`
 264         oav_run_update(sysadm_t, sysadm_r)
 265 ')
 266
 267 optional_policy(`
 268         oident_manage_user_content(sysadm_t)
 269         oident_relabel_user_content(sysadm_t)
 270 ')
 271
 272 optional_policy(`
 273         pcmcia_run_cardctl(sysadm_t, sysadm_r)
 274 ')
 275
 276 optional_policy(`
 277         portage_run(sysadm_t, sysadm_r)
 278         portage_run_gcc_config(sysadm_t, sysadm_r)
 279 ')
 280
 281 optional_policy(`
 282         portmap_run_helper(sysadm_t, sysadm_r)
 283 ')
 284
 285 optional_policy(`
 286         prelink_run(sysadm_t, sysadm_r)
 287 ')
 288
 289 optional_policy(`
 290         quota_run(sysadm_t, sysadm_r)
 291 ')
 292
 293 optional_policy(`
 294         raid_domtrans_mdadm(sysadm_t)
 295 ')
 296
 297 optional_policy(`
 298         rpc_domtrans_nfsd(sysadm_t)
 299 ')
 300
 301 optional_policy(`
 302         rpm_run(sysadm_t, sysadm_r)
 303 ')
 304
 305
 306 optional_policy(`
 307         rsync_exec(sysadm_t)
 308 ')
 309
 310 optional_policy(`
 311         samba_run_net(sysadm_t, sysadm_r)
 312         samba_run_winbind_helper(sysadm_t, sysadm_r)
 313 ')
 314
 315 optional_policy(`
 316         screen_role_template(sysadm, sysadm_r, sysadm_t)
 317 ')
 318
 319 optional_policy(`
 320         secadm_role_change(sysadm_r)
 321 ')
 322
 323 optional_policy(`
 324         seutil_run_setfiles(sysadm_t, sysadm_r)
 325         seutil_run_runinit(sysadm_t, sysadm_r)
 326 ')
 327
 328 optional_policy(`
 329         shutdown_run(sysadm_t, sysadm_r)
 330 ')
 331
 332
 333 optional_policy(`
 334         ssh_role_template(sysadm, sysadm_r, sysadm_t)
 335 ')
 336
 337 optional_policy(`
 338         staff_role_change(sysadm_r)
 339 ')
 340
 341 optional_policy(`
 342         su_role_template(sysadm, sysadm_r, sysadm_t)
 343 ')
 344
 345 optional_policy(`
 346         sudo_role_template(sysadm, sysadm_r, sysadm_t)
 347 ')
 348
 349 optional_policy(`
 350         sysnet_run_ifconfig(sysadm_t, sysadm_r)
 351         sysnet_run_dhcpc(sysadm_t, sysadm_r)
 352 ')
 353
 354 optional_policy(`
 355         tripwire_run_siggen(sysadm_t, sysadm_r)
 356         tripwire_run_tripwire(sysadm_t, sysadm_r)
 357         tripwire_run_twadmin(sysadm_t, sysadm_r)
 358         tripwire_run_twprint(sysadm_t, sysadm_r)
 359 ')
 360
 361 optional_policy(`
 362         tzdata_domtrans(sysadm_t)
 363 ')
 364
 365 optional_policy(`
 366         unconfined_domtrans(sysadm_t)
 367 ')
 368
 369 optional_policy(`
 370         unprivuser_role_change(sysadm_r)
 371 ')
 372
 373 optional_policy(`
 374         usbmodules_run(sysadm_t, sysadm_r)
 375 ')
 376
 377 optional_policy(`
 378         usermanage_run_admin_passwd(sysadm_t, sysadm_r)
 379         usermanage_run_groupadd(sysadm_t, sysadm_r)
 380         usermanage_run_useradd(sysadm_t, sysadm_r)
 381 ')
 382
 383
 384 optional_policy(`
 385         vpn_run(sysadm_t, sysadm_r)
 386 ')
 387
 388 optional_policy(`
 389         vpn_run(sysadm_t, sysadm_r)
 390 ')
 391
 392 optional_policy(`
 393         webalizer_run(sysadm_t, sysadm_r)
 394 ')
 395
 396 optional_policy(`
 397         virt_stream_connect(sysadm_t)
 398 ')
 399
 400 optional_policy(`
 401         yam_run(sysadm_t, sysadm_r)
 402 ')
 403
 404 optional_policy(`
 405         zebra_stream_connect(sysadm_t)
 406 ')
 407
 408 ifndef(`distro_redhat',`
 409         optional_policy(`
 410                 apache_role(sysadm_r, sysadm_t)
 411         ')
 412         optional_policy(`
 413                 auth_role(sysadm_r, sysadm_t)
 414         ')
 415
 416         optional_policy(`
 417                 bluetooth_role(sysadm_r, sysadm_t)
 418         ')
 419
 420         optional_policy(`
 421                 cdrecord_role(sysadm_r, sysadm_t)
 422         ')
 423
 424         optional_policy(`
 425                 cron_admin_role(sysadm_r, sysadm_t)
 426         ')
 427
 428         optional_policy(`
 429                 dbus_role_template(sysadm, sysadm_r, sysadm_t)
 430         ')
 431
 432         optional_policy(`
 433                 evolution_role(sysadm_r, sysadm_t)
 434         ')
 435
 436         optional_policy(`
 437                 games_role(sysadm_r, sysadm_t)
 438         ')
 439
 440         optional_policy(`
 441                 gift_role(sysadm_r, sysadm_t)
 442         ')
 443
 444         optional_policy(`
 445                 gnome_role(sysadm_r, sysadm_t)
 446         ')
 447
 448         optional_policy(`
 449                 gpg_role(sysadm_r, sysadm_t)
 450         ')
 451
 452         optional_policy(`
 453                 irc_role(sysadm_r, sysadm_t)
 454         ')
 455
 456         optional_policy(`
 457                 java_role(sysadm_r, sysadm_t)
 458         ')
 459
 460         optional_policy(`
 461                 lockdev_role(sysadm_r, sysadm_t)
 462         ')
 463
 464         optional_policy(`
 465                 mozilla_role(sysadm_r, sysadm_t)
 466         ')
 467
 468         optional_policy(`
 469                 mplayer_role(sysadm_r, sysadm_t)
 470         ')
 471
 472         optional_policy(`
 473                 pyzor_role(sysadm_r, sysadm_t)
 474         ')
 475
 476         optional_policy(`
 477                 razor_role(sysadm_r, sysadm_t)
 478         ')
 479
 480         optional_policy(`
 481                 rssh_role(sysadm_r, sysadm_t)
 482         ')
 483
 484         optional_policy(`
 485                 spamassassin_role(sysadm_r, sysadm_t)
 486         ')
 487
 488         optional_policy(`
 489                 thunderbird_role(sysadm_r, sysadm_t)
 490         ')
 491
 492         optional_policy(`
 493                 tvtime_role(sysadm_r, sysadm_t)
 494         ')
 495
 496         optional_policy(`
 497                 uml_role(sysadm_r, sysadm_t)
 498         ')
 499
 500         optional_policy(`
 501                 userhelper_role_template(sysadm, sysadm_r, sysadm_t)
 502         ')
 503
 504         optional_policy(`
 505                 vmware_role(sysadm_r, sysadm_t)
 506         ')
 507
 508         optional_policy(`
 509                 wireshark_role(sysadm_r, sysadm_t)
 510         ')
 511
 512         optional_policy(`
 513                 xserver_role(sysadm_r, sysadm_t)
 514         ')
 515 ')