]>
Commit | Line | Data |
---|---|---|
08690c84 | 1 | policy_module(sysadm, 2.1.1) |
e9c6cda7 CP |
2 | |
3 | ######################################## | |
4 | # | |
5 | # Declarations | |
6 | # | |
7 | ||
8 | ## <desc> | |
9 | ## <p> | |
10 | ## Allow sysadm to debug or ptrace all processes. | |
11 | ## </p> | |
12 | ## </desc> | |
0bfccda4 | 13 | gen_tunable(allow_ptrace, false) |
e9c6cda7 CP |
14 | |
15 | role sysadm_r; | |
16 | ||
17 | userdom_admin_user_template(sysadm) | |
18 | ||
19 | ifndef(`enable_mls',` | |
296273a7 | 20 | userdom_security_admin_template(sysadm_t, sysadm_r) |
e9c6cda7 CP |
21 | ') |
22 | ||
23 | ######################################## | |
24 | # | |
25 | # Local policy | |
26 | # | |
27 | ||
28 | corecmd_exec_shell(sysadm_t) | |
29 | ||
30 | mls_process_read_up(sysadm_t) | |
31 | ||
296273a7 CP |
32 | ubac_process_exempt(sysadm_t) |
33 | ubac_file_exempt(sysadm_t) | |
34 | ubac_fd_exempt(sysadm_t) | |
35 | ||
e9c6cda7 CP |
36 | init_exec(sysadm_t) |
37 | ||
296273a7 CP |
38 | # Add/remove user home directories |
39 | userdom_manage_user_home_dirs(sysadm_t) | |
40 | userdom_home_filetrans_user_home_dir(sysadm_t) | |
e9c6cda7 CP |
41 | |
42 | ifdef(`direct_sysadm_daemon',` | |
43 | optional_policy(` | |
296273a7 | 44 | init_run_daemon(sysadm_t, sysadm_r) |
e9c6cda7 CP |
45 | ') |
46 | ',` | |
47 | ifdef(`distro_gentoo',` | |
48 | optional_policy(` | |
296273a7 | 49 | seutil_init_script_run_runinit(sysadm_t, sysadm_r) |
e9c6cda7 CP |
50 | ') |
51 | ') | |
52 | ') | |
53 | ||
54 | ifndef(`enable_mls',` | |
55 | logging_manage_audit_log(sysadm_t) | |
56 | logging_manage_audit_config(sysadm_t) | |
296273a7 | 57 | logging_run_auditctl(sysadm_t, sysadm_r) |
e9c6cda7 CP |
58 | ') |
59 | ||
60 | tunable_policy(`allow_ptrace',` | |
61 | domain_ptrace_all_domains(sysadm_t) | |
62 | ') | |
63 | ||
64 | optional_policy(` | |
296273a7 | 65 | amanda_run_recover(sysadm_t, sysadm_r) |
e9c6cda7 CP |
66 | ') |
67 | ||
68 | optional_policy(` | |
296273a7 | 69 | apache_run_helper(sysadm_t, sysadm_r) |
e9c6cda7 CP |
70 | #apache_run_all_scripts(sysadm_t, sysadm_r) |
71 | #apache_domtrans_sys_script(sysadm_t) | |
296273a7 | 72 | apache_role(sysadm_r, sysadm_t) |
e9c6cda7 CP |
73 | ') |
74 | ||
75 | optional_policy(` | |
76 | # cjp: why is this not apm_run_client | |
77 | apm_domtrans_client(sysadm_t) | |
78 | ') | |
79 | ||
80 | optional_policy(` | |
296273a7 CP |
81 | apt_run(sysadm_t, sysadm_r) |
82 | ') | |
83 | ||
84 | optional_policy(` | |
85 | auditadm_role_change(sysadm_r) | |
86 | ') | |
87 | ||
296273a7 CP |
88 | optional_policy(` |
89 | backup_run(sysadm_t, sysadm_r) | |
e9c6cda7 CP |
90 | ') |
91 | ||
92 | optional_policy(` | |
296273a7 | 93 | bind_run_ndc(sysadm_t, sysadm_r) |
e9c6cda7 CP |
94 | ') |
95 | ||
e9c6cda7 | 96 | optional_policy(` |
296273a7 | 97 | bootloader_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
98 | ') |
99 | ||
e9c6cda7 | 100 | optional_policy(` |
296273a7 | 101 | certwatch_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
102 | ') |
103 | ||
104 | optional_policy(` | |
296273a7 | 105 | clock_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
106 | ') |
107 | ||
108 | optional_policy(` | |
296273a7 | 109 | clockspeed_run_cli(sysadm_t, sysadm_r) |
e9c6cda7 CP |
110 | ') |
111 | ||
112 | optional_policy(` | |
296273a7 | 113 | consoletype_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
114 | ') |
115 | ||
e9c6cda7 CP |
116 | optional_policy(` |
117 | cvs_exec(sysadm_t) | |
118 | ') | |
119 | ||
e9c6cda7 | 120 | optional_policy(` |
296273a7 CP |
121 | dcc_run_cdcc(sysadm_t, sysadm_r) |
122 | dcc_run_client(sysadm_t, sysadm_r) | |
123 | dcc_run_dbclean(sysadm_t, sysadm_r) | |
124 | ') | |
125 | ||
126 | optional_policy(` | |
127 | ddcprobe_run(sysadm_t, sysadm_r) | |
e9c6cda7 CP |
128 | ') |
129 | ||
130 | optional_policy(` | |
131 | dmesg_exec(sysadm_t) | |
132 | ') | |
133 | ||
134 | optional_policy(` | |
296273a7 CP |
135 | dmidecode_run(sysadm_t, sysadm_r) |
136 | ') | |
137 | ||
138 | optional_policy(` | |
139 | dpkg_run(sysadm_t, sysadm_r) | |
e9c6cda7 CP |
140 | ') |
141 | ||
e9c6cda7 | 142 | optional_policy(` |
296273a7 | 143 | firstboot_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
144 | ') |
145 | ||
146 | optional_policy(` | |
296273a7 | 147 | fstools_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
148 | ') |
149 | ||
296273a7 CP |
150 | optional_policy(` |
151 | hostname_run(sysadm_t, sysadm_r) | |
e9c6cda7 CP |
152 | ') |
153 | ||
154 | optional_policy(` | |
155 | # allow system administrator to use the ipsec script to look | |
156 | # at things (e.g., ipsec auto --status) | |
157 | # probably should create an ipsec_admin role for this kind of thing | |
158 | ipsec_exec_mgmt(sysadm_t) | |
159 | ipsec_stream_connect(sysadm_t) | |
160 | # for lsof | |
161 | ipsec_getattr_key_sockets(sysadm_t) | |
162 | ') | |
163 | ||
164 | optional_policy(` | |
296273a7 CP |
165 | iptables_run(sysadm_t, sysadm_r) |
166 | ') | |
167 | ||
e9c6cda7 | 168 | optional_policy(` |
296273a7 | 169 | kudzu_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
170 | ') |
171 | ||
172 | optional_policy(` | |
296273a7 | 173 | libs_run_ldconfig(sysadm_t, sysadm_r) |
e9c6cda7 CP |
174 | ') |
175 | ||
176 | optional_policy(` | |
296273a7 | 177 | lockdev_role(sysadm_r, sysadm_t) |
e9c6cda7 CP |
178 | ') |
179 | ||
180 | optional_policy(` | |
296273a7 | 181 | logrotate_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
182 | ') |
183 | ||
184 | optional_policy(` | |
296273a7 CP |
185 | lpd_run_checkpc(sysadm_t, sysadm_r) |
186 | lpd_role(sysadm_r, sysadm_t) | |
e9c6cda7 CP |
187 | ') |
188 | ||
189 | optional_policy(` | |
296273a7 | 190 | lvm_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
191 | ') |
192 | ||
193 | optional_policy(` | |
296273a7 CP |
194 | modutils_run_depmod(sysadm_t, sysadm_r) |
195 | modutils_run_insmod(sysadm_t, sysadm_r) | |
196 | modutils_run_update_mods(sysadm_t, sysadm_r) | |
e9c6cda7 CP |
197 | ') |
198 | ||
199 | optional_policy(` | |
296273a7 CP |
200 | mount_run(sysadm_t, sysadm_r) |
201 | ') | |
202 | ||
203 | optional_policy(` | |
204 | mozilla_role(sysadm_r, sysadm_t) | |
205 | ') | |
206 | ||
207 | optional_policy(` | |
208 | mplayer_role(sysadm_r, sysadm_t) | |
209 | ') | |
210 | ||
211 | optional_policy(` | |
212 | mta_role(sysadm_r, sysadm_t) | |
e9c6cda7 CP |
213 | ') |
214 | ||
215 | optional_policy(` | |
216 | munin_stream_connect(sysadm_t) | |
217 | ') | |
218 | ||
219 | optional_policy(` | |
220 | mysql_stream_connect(sysadm_t) | |
221 | ') | |
222 | ||
223 | optional_policy(` | |
296273a7 CP |
224 | netutils_run(sysadm_t, sysadm_r) |
225 | netutils_run_ping(sysadm_t, sysadm_r) | |
226 | netutils_run_traceroute(sysadm_t, sysadm_r) | |
e9c6cda7 CP |
227 | ') |
228 | ||
229 | optional_policy(` | |
230 | ntp_stub() | |
231 | corenet_udp_bind_ntp_port(sysadm_t) | |
232 | ') | |
233 | ||
234 | optional_policy(` | |
296273a7 CP |
235 | oav_run_update(sysadm_t, sysadm_r) |
236 | ') | |
237 | ||
238 | optional_policy(` | |
239 | oident_manage_user_content(sysadm_t) | |
240 | oident_relabel_user_content(sysadm_t) | |
241 | ') | |
242 | ||
243 | optional_policy(` | |
244 | pcmcia_run_cardctl(sysadm_t, sysadm_r) | |
e9c6cda7 CP |
245 | ') |
246 | ||
247 | optional_policy(` | |
296273a7 CP |
248 | portage_run(sysadm_t, sysadm_r) |
249 | portage_run_gcc_config(sysadm_t, sysadm_r) | |
e9c6cda7 CP |
250 | ') |
251 | ||
252 | optional_policy(` | |
296273a7 | 253 | portmap_run_helper(sysadm_t, sysadm_r) |
e9c6cda7 CP |
254 | ') |
255 | ||
256 | optional_policy(` | |
296273a7 | 257 | pyzor_role(sysadm_r, sysadm_t) |
e9c6cda7 CP |
258 | ') |
259 | ||
260 | optional_policy(` | |
296273a7 | 261 | quota_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
262 | ') |
263 | ||
264 | optional_policy(` | |
265 | raid_domtrans_mdadm(sysadm_t) | |
266 | ') | |
267 | ||
296273a7 CP |
268 | optional_policy(` |
269 | razor_role(sysadm_r, sysadm_t) | |
270 | ') | |
271 | ||
e9c6cda7 CP |
272 | optional_policy(` |
273 | rpc_domtrans_nfsd(sysadm_t) | |
274 | ') | |
275 | ||
276 | optional_policy(` | |
296273a7 CP |
277 | rpm_run(sysadm_t, sysadm_r) |
278 | ') | |
279 | ||
280 | optional_policy(` | |
281 | rssh_role(sysadm_r, sysadm_t) | |
e9c6cda7 CP |
282 | ') |
283 | ||
284 | optional_policy(` | |
285 | rsync_exec(sysadm_t) | |
286 | ') | |
287 | ||
288 | optional_policy(` | |
296273a7 CP |
289 | samba_run_net(sysadm_t, sysadm_r) |
290 | samba_run_winbind_helper(sysadm_t, sysadm_r) | |
e9c6cda7 CP |
291 | ') |
292 | ||
293 | optional_policy(` | |
296273a7 | 294 | screen_role_template(sysadm, sysadm_r, sysadm_t) |
e9c6cda7 CP |
295 | ') |
296 | ||
297 | optional_policy(` | |
296273a7 | 298 | secadm_role_change(sysadm_r) |
e9c6cda7 CP |
299 | ') |
300 | ||
301 | optional_policy(` | |
296273a7 CP |
302 | seutil_run_setfiles(sysadm_t, sysadm_r) |
303 | seutil_run_runinit(sysadm_t, sysadm_r) | |
e9c6cda7 CP |
304 | ') |
305 | ||
306 | optional_policy(` | |
296273a7 | 307 | spamassassin_role(sysadm_r, sysadm_t) |
e9c6cda7 CP |
308 | ') |
309 | ||
310 | optional_policy(` | |
296273a7 CP |
311 | ssh_role_template(sysadm, sysadm_r, sysadm_t) |
312 | ') | |
313 | ||
314 | optional_policy(` | |
315 | staff_role_change(sysadm_r) | |
316 | ') | |
317 | ||
318 | optional_policy(` | |
319 | su_role_template(sysadm, sysadm_r, sysadm_t) | |
320 | ') | |
321 | ||
322 | optional_policy(` | |
323 | sudo_role_template(sysadm, sysadm_r, sysadm_t) | |
324 | ') | |
325 | ||
326 | optional_policy(` | |
327 | sysnet_run_ifconfig(sysadm_t, sysadm_r) | |
328 | sysnet_run_dhcpc(sysadm_t, sysadm_r) | |
329 | ') | |
330 | ||
331 | optional_policy(` | |
332 | thunderbird_role(sysadm_r, sysadm_t) | |
333 | ') | |
334 | ||
335 | optional_policy(` | |
336 | tripwire_run_siggen(sysadm_t, sysadm_r) | |
337 | tripwire_run_tripwire(sysadm_t, sysadm_r) | |
338 | tripwire_run_twadmin(sysadm_t, sysadm_r) | |
339 | tripwire_run_twprint(sysadm_t, sysadm_r) | |
340 | ') | |
341 | ||
342 | optional_policy(` | |
343 | tvtime_role(sysadm_r, sysadm_t) | |
e9c6cda7 CP |
344 | ') |
345 | ||
346 | optional_policy(` | |
347 | tzdata_domtrans(sysadm_t) | |
348 | ') | |
349 | ||
296273a7 CP |
350 | optional_policy(` |
351 | uml_role(sysadm_r, sysadm_t) | |
352 | ') | |
353 | ||
e9c6cda7 | 354 | optional_policy(` |
b34db7a8 | 355 | unconfined_domtrans(sysadm_t) |
e9c6cda7 CP |
356 | ') |
357 | ||
358 | optional_policy(` | |
296273a7 CP |
359 | unprivuser_role_change(sysadm_r) |
360 | ') | |
361 | ||
362 | optional_policy(` | |
363 | usbmodules_run(sysadm_t, sysadm_r) | |
364 | ') | |
e9c6cda7 | 365 | |
296273a7 CP |
366 | optional_policy(` |
367 | userhelper_role_template(sysadm, sysadm_r, sysadm_t) | |
368 | ') | |
369 | ||
370 | optional_policy(` | |
371 | usermanage_run_admin_passwd(sysadm_t, sysadm_r) | |
372 | usermanage_run_groupadd(sysadm_t, sysadm_r) | |
373 | usermanage_run_useradd(sysadm_t, sysadm_r) | |
374 | ') | |
375 | ||
376 | optional_policy(` | |
377 | vmware_role(sysadm_r, sysadm_t) | |
e9c6cda7 CP |
378 | ') |
379 | ||
380 | optional_policy(` | |
296273a7 | 381 | vpn_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
382 | ') |
383 | ||
384 | optional_policy(` | |
296273a7 | 385 | webalizer_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
386 | ') |
387 | ||
388 | optional_policy(` | |
296273a7 | 389 | wireshark_role(sysadm_r, sysadm_t) |
e9c6cda7 CP |
390 | ') |
391 | ||
392 | optional_policy(` | |
296273a7 | 393 | xserver_role(sysadm_r, sysadm_t) |
e9c6cda7 CP |
394 | ') |
395 | ||
396 | optional_policy(` | |
296273a7 | 397 | yam_run(sysadm_t, sysadm_r) |
e9c6cda7 | 398 | ') |
c87e1502 JS |
399 | |
400 | ifndef(`distro_redhat',` | |
401 | optional_policy(` | |
402 | auth_role(sysadm_r, sysadm_t) | |
403 | ') | |
404 | ||
405 | optional_policy(` | |
406 | bluetooth_role(sysadm_r, sysadm_t) | |
407 | ') | |
408 | ||
409 | optional_policy(` | |
410 | cdrecord_role(sysadm_r, sysadm_t) | |
411 | ') | |
412 | ||
413 | optional_policy(` | |
414 | cron_admin_role(sysadm_r, sysadm_t) | |
415 | ') | |
416 | ||
417 | optional_policy(` | |
418 | dbus_role_template(sysadm, sysadm_r, sysadm_t) | |
419 | ') | |
420 | ||
421 | optional_policy(` | |
422 | evolution_role(sysadm_r, sysadm_t) | |
423 | ') | |
424 | ||
425 | optional_policy(` | |
426 | games_role(sysadm_r, sysadm_t) | |
427 | ') | |
428 | ||
429 | optional_policy(` | |
430 | gift_role(sysadm_r, sysadm_t) | |
431 | ') | |
432 | ||
433 | optional_policy(` | |
434 | gnome_role(sysadm_r, sysadm_t) | |
435 | ') | |
436 | ||
437 | optional_policy(` | |
438 | gpg_role(sysadm_r, sysadm_t) | |
439 | ') | |
440 | ||
441 | optional_policy(` | |
442 | irc_role(sysadm_r, sysadm_t) | |
443 | ') | |
444 | ||
445 | optional_policy(` | |
446 | java_role(sysadm_r, sysadm_t) | |
447 | ') | |
448 | ') | |
449 |