]> git.ipfire.org Git - people/stevee/selinux-policy.git/blame - policy/modules/roles/sysadm.te
projects / people / stevee / selinux-policy.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
colord_t needs to read ~/.local/share/icc
[people/stevee/selinux-policy.git] / policy / modules / roles / sysadm.te
CommitLineData
826d0142 1policy_module(sysadm, 2.2.0)
e9c6cda7
CP		 2
3########################################
4#
5# Declarations
6#
7
8## <desc>
9## <p>
10## Allow sysadm to debug or ptrace all processes.
11## </p>
12## </desc>
0bfccda4 13gen_tunable(allow_ptrace, false)
e9c6cda7
CP		 14
15role sysadm_r;
16
17userdom_admin_user_template(sysadm)
18
19ifndef(`enable_mls',`
296273a7 20 userdom_security_admin_template(sysadm_t, sysadm_r)
e9c6cda7
CP		 21')
22
23########################################
24#
25# Local policy
26#
2968e068 27kernel_read_fs_sysctls(sysadm_t)
e9c6cda7
CP		 28
29corecmd_exec_shell(sysadm_t)
30
3eaa9939
DW		 31domain_dontaudit_read_all_domains_state(sysadm_t)
32
2968e068
DW		 33files_read_kernel_modules(sysadm_t)
34
65f784aa
DW		 35dev_filetrans_all_named_dev(sysadm_t)
36storage_filetrans_all_named_dev(sysadm_t)
37term_filetrans_all_named_dev(sysadm_t)
72eaebd0 38
e9c6cda7 39mls_process_read_up(sysadm_t)
3eaa9939
DW		 40mls_file_read_to_clearance(sysadm_t)
41mls_process_write_to_clearance(sysadm_t)
e9c6cda7 42
77b776ea
DW		 43storage_setattr_fixed_disk_dev(sysadm_t)
44
296273a7
CP		 45ubac_process_exempt(sysadm_t)
46ubac_file_exempt(sysadm_t)
47ubac_fd_exempt(sysadm_t)
48
3eaa9939
DW		 49application_exec(sysadm_t)
50
e9c6cda7 51init_exec(sysadm_t)
3eaa9939
DW		 52init_exec_script_files(sysadm_t)
53init_dbus_chat(sysadm_t)
2968e068
DW		 54init_script_role_transition(sysadm_r)
55
2968e068 56miscfiles_read_hwdata(sysadm_t)
e9c6cda7 57
72eaebd0
DW		 58sysnet_etc_filetrans_config(sysadm_t, resolv.conf)
59sysnet_etc_filetrans_config(sysadm_t, denyhosts)
60sysnet_etc_filetrans_config(sysadm_t, hosts)
61sysnet_etc_filetrans_config(sysadm_t, ethers)
62sysnet_etc_filetrans_config(sysadm_t, yp.conf)
63
296273a7
CP		 64# Add/remove user home directories
65userdom_manage_user_home_dirs(sysadm_t)
66userdom_home_filetrans_user_home_dir(sysadm_t)
3eaa9939
DW		 67userdom_manage_user_tmp_dirs(sysadm_t)
68userdom_manage_user_tmp_files(sysadm_t)
69userdom_manage_user_tmp_symlinks(sysadm_t)
70userdom_manage_user_tmp_chr_files(sysadm_t)
71userdom_manage_user_tmp_blk_files(sysadm_t)
e9c6cda7 72
72eaebd0 73optional_policy(`
72eaebd0
DW		 74 ssh_admin_home_dir_filetrans(sysadm_t)
75')
76
e9c6cda7
CP		 77ifdef(`direct_sysadm_daemon',`
78 optional_policy(`
296273a7 79 init_run_daemon(sysadm_t, sysadm_r)
e9c6cda7
CP		 80 ')
81',`
82 ifdef(`distro_gentoo',`
83 optional_policy(`
296273a7 84 seutil_init_script_run_runinit(sysadm_t, sysadm_r)
e9c6cda7
CP		 85 ')
86 ')
87')
88
89ifndef(`enable_mls',`
90 logging_manage_audit_log(sysadm_t)
91 logging_manage_audit_config(sysadm_t)
296273a7 92 logging_run_auditctl(sysadm_t, sysadm_r)
3eaa9939 93 logging_stream_connect_syslog(sysadm_t)
e9c6cda7
CP		 94')
95
96tunable_policy(`allow_ptrace',`
97 domain_ptrace_all_domains(sysadm_t)
98')
99
100optional_policy(`
296273a7 101 amanda_run_recover(sysadm_t, sysadm_r)
e9c6cda7
CP		 102')
103
104optional_policy(`
296273a7 105 apache_run_helper(sysadm_t, sysadm_r)
3ad2a285 106 apache_filetrans_home_content(sysadm_t)
e9c6cda7
CP		 107 #apache_run_all_scripts(sysadm_t, sysadm_r)
108 #apache_domtrans_sys_script(sysadm_t)
109')
110
111optional_policy(`
112 # cjp: why is this not apm_run_client
113 apm_domtrans_client(sysadm_t)
114')
115
116optional_policy(`
296273a7
CP		 117 apt_run(sysadm_t, sysadm_r)
118')
119
120optional_policy(`
121 auditadm_role_change(sysadm_r)
122')
123
296273a7
CP		 124optional_policy(`
125 backup_run(sysadm_t, sysadm_r)
e9c6cda7
CP		 126')
127
128optional_policy(`
296273a7 129 bind_run_ndc(sysadm_t, sysadm_r)
e9c6cda7
CP		 130')
131
e9c6cda7 132optional_policy(`
296273a7 133 bootloader_run(sysadm_t, sysadm_r)
e9c6cda7
CP		 134')
135
3eaa9939
DW		 136optional_policy(`
137 certmonger_dbus_chat(sysadm_t)
138')
139
e9c6cda7 140optional_policy(`
296273a7 141 certwatch_run(sysadm_t, sysadm_r)
e9c6cda7
CP		 142')
143
144optional_policy(`
296273a7 145 clock_run(sysadm_t, sysadm_r)
e9c6cda7
CP		 146')
147
148optional_policy(`
296273a7 149 clockspeed_run_cli(sysadm_t, sysadm_r)
e9c6cda7
CP		 150')
151
152optional_policy(`
296273a7 153 consoletype_run(sysadm_t, sysadm_r)
e9c6cda7
CP		 154')
155
3eaa9939
DW		 156optional_policy(`
157 daemonstools_run_start(sysadm_t, sysadm_r)
e9c6cda7
CP		 158')
159
e9c6cda7 160optional_policy(`
296273a7
CP		 161 dcc_run_cdcc(sysadm_t, sysadm_r)
162 dcc_run_client(sysadm_t, sysadm_r)
163 dcc_run_dbclean(sysadm_t, sysadm_r)
164')
165
4ad28653
DW		 166optional_policy(`
167 dbus_role_template(sysadm, sysadm_r, sysadm_t)
168')
169
296273a7
CP		 170optional_policy(`
171 ddcprobe_run(sysadm_t, sysadm_r)
e9c6cda7
CP		 172')
173
174optional_policy(`
175 dmesg_exec(sysadm_t)
176')
177
178optional_policy(`
296273a7
CP		 179 dmidecode_run(sysadm_t, sysadm_r)
180')
181
182optional_policy(`
183 dpkg_run(sysadm_t, sysadm_r)
e9c6cda7
CP		 184')
185
e9c6cda7 186optional_policy(`
296273a7 187 firstboot_run(sysadm_t, sysadm_r)
e9c6cda7
CP		 188')
189
190optional_policy(`
296273a7 191 fstools_run(sysadm_t, sysadm_r)
e9c6cda7
CP		 192')
193
296273a7
CP		 194optional_policy(`
195 hostname_run(sysadm_t, sysadm_r)
e9c6cda7
CP		 196')
197
bc71a042 198optional_policy(`
641ac054 199 hadoop_role(sysadm_r, sysadm_t)
bc71a042
PN		 200')
201
e9c6cda7
CP		 202optional_policy(`
203 # allow system administrator to use the ipsec script to look
204 # at things (e.g., ipsec auto --status)
205 # probably should create an ipsec_admin role for this kind of thing
206 ipsec_exec_mgmt(sysadm_t)
207 ipsec_stream_connect(sysadm_t)
208 # for lsof
209 ipsec_getattr_key_sockets(sysadm_t)
3eaa9939
DW		 210 ipsec_run_setkey(sysadm_t, sysadm_r)
211 ipsec_run_racoon(sysadm_t, sysadm_r)
212 ipsec_stream_connect_racoon(sysadm_t)
213
214 optional_policy(`
215 ipsec_mgmt_dbus_chat(sysadm_t)
216 ')
e9c6cda7
CP		 217')
218
219optional_policy(`
296273a7
CP		 220 iptables_run(sysadm_t, sysadm_r)
221')
222
3eaa9939
DW		 223optional_policy(`
224 kerberos_exec_kadmind(sysadm_t)
d141ac47 225 kerberos_filetrans_named_content(sysadm_t)
3eaa9939
DW		 226')
227
e9c6cda7 228optional_policy(`
296273a7 229 kudzu_run(sysadm_t, sysadm_r)
e9c6cda7
CP		 230')
231
232optional_policy(`
296273a7 233 libs_run_ldconfig(sysadm_t, sysadm_r)
e9c6cda7
CP		 234')
235
e9c6cda7 236optional_policy(`
296273a7 237 logrotate_run(sysadm_t, sysadm_r)
e9c6cda7
CP		 238')
239
240optional_policy(`
296273a7
CP		 241 lpd_run_checkpc(sysadm_t, sysadm_r)
242 lpd_role(sysadm_r, sysadm_t)
e9c6cda7
CP		 243')
244
245optional_policy(`
296273a7 246 lvm_run(sysadm_t, sysadm_r)
e9c6cda7
CP		 247')
248
249optional_policy(`
296273a7
CP		 250 modutils_run_depmod(sysadm_t, sysadm_r)
251 modutils_run_insmod(sysadm_t, sysadm_r)
252 modutils_run_update_mods(sysadm_t, sysadm_r)
2371d8d8 253 modutils_read_module_deps(sysadm_t)
e9c6cda7
CP		 254')
255
256optional_policy(`
296273a7 257 mount_run(sysadm_t, sysadm_r)
3eaa9939 258 mount_run_showmount(sysadm_t, sysadm_r)
296273a7
CP		 259')
260
296273a7
CP		 261optional_policy(`
262 mta_role(sysadm_r, sysadm_t)
780198a1
DW		 263 mta_filetrans_home_content(sysadm_t)
264 mta_filetrans_admin_home_content(sysadm_t)
e9c6cda7
CP		 265')
266
267optional_policy(`
268 munin_stream_connect(sysadm_t)
269')
270
271optional_policy(`
272 mysql_stream_connect(sysadm_t)
273')
274
3eaa9939
DW		 275optional_policy(`
276 ncftool_run(sysadm_t, sysadm_r)
277')
278
e9c6cda7 279optional_policy(`
296273a7
CP		 280 netutils_run(sysadm_t, sysadm_r)
281 netutils_run_ping(sysadm_t, sysadm_r)
282 netutils_run_traceroute(sysadm_t, sysadm_r)
e9c6cda7
CP		 283')
284
285optional_policy(`
286 ntp_stub()
287 corenet_udp_bind_ntp_port(sysadm_t)
288')
289
290optional_policy(`
296273a7
CP		 291 oav_run_update(sysadm_t, sysadm_r)
292')
293
296273a7
CP		 294optional_policy(`
295 pcmcia_run_cardctl(sysadm_t, sysadm_r)
e9c6cda7
CP		 296')
297
298optional_policy(`
296273a7
CP		 299 portage_run(sysadm_t, sysadm_r)
300 portage_run_gcc_config(sysadm_t, sysadm_r)
e9c6cda7
CP		 301')
302
303optional_policy(`
296273a7 304 portmap_run_helper(sysadm_t, sysadm_r)
e9c6cda7
CP		 305')
306
3eaa9939
DW		 307optional_policy(`
308 prelink_run(sysadm_t, sysadm_r)
309')
310
e9c6cda7 311optional_policy(`
296273a7 312 quota_run(sysadm_t, sysadm_r)
e9c6cda7
CP		 313')
314
315optional_policy(`
316 raid_domtrans_mdadm(sysadm_t)
317')
318
319optional_policy(`
320 rpc_domtrans_nfsd(sysadm_t)
321')
322
323optional_policy(`
296273a7 324 rpm_run(sysadm_t, sysadm_r)
4e889ea1 325 rpm_dbus_chat(sysadm_t, sysadm_r)
296273a7
CP		 326')
327
e9c6cda7
CP		 328
329optional_policy(`
330 rsync_exec(sysadm_t)
331')
332
333optional_policy(`
296273a7
CP		 334 samba_run_net(sysadm_t, sysadm_r)
335 samba_run_winbind_helper(sysadm_t, sysadm_r)
e9c6cda7
CP		 336')
337
b2f8897d
HC		 338optional_policy(`
339 samhain_admin(sysadm_t)
340')
341
e9c6cda7 342optional_policy(`
296273a7 343 screen_role_template(sysadm, sysadm_r, sysadm_t)
e9c6cda7
CP		 344')
345
346optional_policy(`
296273a7 347 secadm_role_change(sysadm_r)
e9c6cda7
CP		 348')
349
350optional_policy(`
296273a7
CP		 351 seutil_run_setfiles(sysadm_t, sysadm_r)
352 seutil_run_runinit(sysadm_t, sysadm_r)
e9c6cda7
CP		 353')
354
3eaa9939
DW		 355optional_policy(`
356 shutdown_run(sysadm_t, sysadm_r)
357')
358
e9c6cda7 359optional_policy(`
296273a7
CP		 360 ssh_role_template(sysadm, sysadm_r, sysadm_t)
361')
362
363optional_policy(`
364 staff_role_change(sysadm_r)
365')
366
367optional_policy(`
368 su_role_template(sysadm, sysadm_r, sysadm_t)
369')
370
371optional_policy(`
372 sudo_role_template(sysadm, sysadm_r, sysadm_t)
373')
374
375optional_policy(`
376 sysnet_run_ifconfig(sysadm_t, sysadm_r)
377 sysnet_run_dhcpc(sysadm_t, sysadm_r)
378')
379
296273a7
CP		 380optional_policy(`
381 tripwire_run_siggen(sysadm_t, sysadm_r)
382 tripwire_run_tripwire(sysadm_t, sysadm_r)
383 tripwire_run_twadmin(sysadm_t, sysadm_r)
384 tripwire_run_twprint(sysadm_t, sysadm_r)
385')
386
e9c6cda7
CP		 387optional_policy(`
388 tzdata_domtrans(sysadm_t)
389')
390
391optional_policy(`
b34db7a8 392 unconfined_domtrans(sysadm_t)
e9c6cda7
CP		 393')
394
9427adb7
MG		 395optional_policy(`
396 udev_run(sysadm_t, sysadm_r)
397')
398
e9c6cda7 399optional_policy(`
296273a7
CP		 400 unprivuser_role_change(sysadm_r)
401')
402
403optional_policy(`
404 usbmodules_run(sysadm_t, sysadm_r)
405')
e9c6cda7 406
296273a7
CP		 407optional_policy(`
408 usermanage_run_admin_passwd(sysadm_t, sysadm_r)
409 usermanage_run_groupadd(sysadm_t, sysadm_r)
410 usermanage_run_useradd(sysadm_t, sysadm_r)
411')
412
3eaa9939
DW		 413
414optional_policy(`
415 vpn_run(sysadm_t, sysadm_r)
416')
e9c6cda7
CP		 417
418optional_policy(`
296273a7 419 vpn_run(sysadm_t, sysadm_r)
e9c6cda7
CP		 420')
421
422optional_policy(`
296273a7 423 webalizer_run(sysadm_t, sysadm_r)
e9c6cda7
CP		 424')
425
3eaa9939
DW		 426optional_policy(`
427 virt_stream_connect(sysadm_t)
d141ac47 428 virt_user_home_dir_filetrans(sysadm_t)
3eaa9939
DW		 429')
430
d35e2ee0 431optional_policy(`
7f9f5bce 432 vlock_run(sysadm_t, sysadm_r)
d35e2ee0
HC		 433')
434
e9c6cda7 435optional_policy(`
296273a7 436 xserver_role(sysadm_r, sysadm_t)
e9c6cda7
CP		 437')
438
439optional_policy(`
296273a7 440 yam_run(sysadm_t, sysadm_r)
e9c6cda7 441')
c87e1502 442
3eaa9939
DW		 443optional_policy(`
444 zebra_stream_connect(sysadm_t)
c87e1502
JS		 445')
446
2968e068
DW		 447ifndef(`distro_redhat',`
448 optional_policy(`
449 apache_role(sysadm_r, sysadm_t)
450 ')
451 optional_policy(`
452 auth_role(sysadm_r, sysadm_t)
453 ')
3eaa9939 454
2968e068
DW		 455 optional_policy(`
456 bluetooth_role(sysadm_r, sysadm_t)
457 ')
458
459 optional_policy(`
460 cdrecord_role(sysadm_r, sysadm_t)
461 ')
462
463 optional_policy(`
464 cron_admin_role(sysadm_r, sysadm_t)
465 ')
466
467 optional_policy(`
468 dbus_role_template(sysadm, sysadm_r, sysadm_t)
469 ')
470
471 optional_policy(`
472 evolution_role(sysadm_r, sysadm_t)
473 ')
474
475 optional_policy(`
476 games_role(sysadm_r, sysadm_t)
477 ')
478
479 optional_policy(`
480 gift_role(sysadm_r, sysadm_t)
481 ')
482
483 optional_policy(`
484 gnome_role(sysadm_r, sysadm_t)
888037b0 485 gnome_admin_home_dir_filetrans(sysadm_t)
2968e068
DW		 486 ')
487
488 optional_policy(`
489 gpg_role(sysadm_r, sysadm_t)
490 ')
491
492 optional_policy(`
493 irc_role(sysadm_r, sysadm_t)
494 ')
495
496 optional_policy(`
497 java_role(sysadm_r, sysadm_t)
498 ')
499
500 optional_policy(`
501 lockdev_role(sysadm_r, sysadm_t)
502 ')
503
504 optional_policy(`
505 mozilla_role(sysadm_r, sysadm_t)
506 ')
507
508 optional_policy(`
509 mplayer_role(sysadm_r, sysadm_t)
510 ')
511
512 optional_policy(`
513 pyzor_role(sysadm_r, sysadm_t)
514 ')
515
516 optional_policy(`
517 razor_role(sysadm_r, sysadm_t)
518 ')
519
520 optional_policy(`
521 rssh_role(sysadm_r, sysadm_t)
522 ')
523
524 optional_policy(`
525 spamassassin_role(sysadm_r, sysadm_t)
526 ')
527
528 optional_policy(`
529 thunderbird_role(sysadm_r, sysadm_t)
530 ')
531
532 optional_policy(`
533 tvtime_role(sysadm_r, sysadm_t)
534 ')
535
536 optional_policy(`
537 uml_role(sysadm_r, sysadm_t)
538 ')
539
540 optional_policy(`
541 userhelper_role_template(sysadm, sysadm_r, sysadm_t)
542 ')
543
544 optional_policy(`
545 vmware_role(sysadm_r, sysadm_t)
546 ')
547
548 optional_policy(`
549 wireshark_role(sysadm_r, sysadm_t)
550 ')
551
552 optional_policy(`
553 xserver_role(sysadm_r, sysadm_t)
554 ')
555')
The IPFire selinux policy.