]>
Commit | Line | Data |
---|---|---|
d5048bc7 | 1 | policy_module(sysadm, 2.2.1) |
e9c6cda7 CP |
2 | |
3 | ######################################## | |
4 | # | |
5 | # Declarations | |
6 | # | |
7 | ||
e9c6cda7 CP |
8 | role sysadm_r; |
9 | ||
10 | userdom_admin_user_template(sysadm) | |
11 | ||
12 | ifndef(`enable_mls',` | |
296273a7 | 13 | userdom_security_admin_template(sysadm_t, sysadm_r) |
e9c6cda7 CP |
14 | ') |
15 | ||
16 | ######################################## | |
17 | # | |
18 | # Local policy | |
19 | # | |
2968e068 | 20 | kernel_read_fs_sysctls(sysadm_t) |
e9c6cda7 CP |
21 | |
22 | corecmd_exec_shell(sysadm_t) | |
23 | ||
3eaa9939 DW |
24 | domain_dontaudit_read_all_domains_state(sysadm_t) |
25 | ||
2968e068 DW |
26 | files_read_kernel_modules(sysadm_t) |
27 | ||
65f784aa DW |
28 | dev_filetrans_all_named_dev(sysadm_t) |
29 | storage_filetrans_all_named_dev(sysadm_t) | |
30 | term_filetrans_all_named_dev(sysadm_t) | |
72eaebd0 | 31 | |
e9c6cda7 | 32 | mls_process_read_up(sysadm_t) |
3eaa9939 DW |
33 | mls_file_read_to_clearance(sysadm_t) |
34 | mls_process_write_to_clearance(sysadm_t) | |
e9c6cda7 | 35 | |
77b776ea DW |
36 | storage_setattr_fixed_disk_dev(sysadm_t) |
37 | ||
296273a7 CP |
38 | ubac_process_exempt(sysadm_t) |
39 | ubac_file_exempt(sysadm_t) | |
40 | ubac_fd_exempt(sysadm_t) | |
41 | ||
3eaa9939 DW |
42 | application_exec(sysadm_t) |
43 | ||
e9c6cda7 | 44 | init_exec(sysadm_t) |
3eaa9939 DW |
45 | init_exec_script_files(sysadm_t) |
46 | init_dbus_chat(sysadm_t) | |
2968e068 DW |
47 | init_script_role_transition(sysadm_r) |
48 | ||
91a6f708 | 49 | miscfiles_filetrans_named_content(sysadm_t) |
2968e068 | 50 | miscfiles_read_hwdata(sysadm_t) |
e9c6cda7 | 51 | |
9c7e72de | 52 | sysnet_filetrans_named_content(sysadm_t) |
72eaebd0 | 53 | |
296273a7 CP |
54 | # Add/remove user home directories |
55 | userdom_manage_user_home_dirs(sysadm_t) | |
56 | userdom_home_filetrans_user_home_dir(sysadm_t) | |
2010eb96 | 57 | userdom_manage_tmp_role(sysadm_r, sysadm_t) |
e9c6cda7 | 58 | |
76d53813 | 59 | optional_policy(` |
5b3ec473 | 60 | alsa_filetrans_named_content(sysadm_t) |
76d53813 DW |
61 | ') |
62 | ||
72eaebd0 | 63 | optional_policy(` |
a11cc065 | 64 | ssh_filetrans_admin_home_content(sysadm_t) |
72eaebd0 DW |
65 | ') |
66 | ||
e9c6cda7 CP |
67 | ifdef(`direct_sysadm_daemon',` |
68 | optional_policy(` | |
296273a7 | 69 | init_run_daemon(sysadm_t, sysadm_r) |
e9c6cda7 CP |
70 | ') |
71 | ',` | |
72 | ifdef(`distro_gentoo',` | |
73 | optional_policy(` | |
296273a7 | 74 | seutil_init_script_run_runinit(sysadm_t, sysadm_r) |
e9c6cda7 CP |
75 | ') |
76 | ') | |
77 | ') | |
78 | ||
79 | ifndef(`enable_mls',` | |
80 | logging_manage_audit_log(sysadm_t) | |
81 | logging_manage_audit_config(sysadm_t) | |
296273a7 | 82 | logging_run_auditctl(sysadm_t, sysadm_r) |
3eaa9939 | 83 | logging_stream_connect_syslog(sysadm_t) |
e9c6cda7 CP |
84 | ') |
85 | ||
995bdbb1 | 86 | tunable_policy(`deny_ptrace',`',` |
e9c6cda7 CP |
87 | domain_ptrace_all_domains(sysadm_t) |
88 | ') | |
89 | ||
90 | optional_policy(` | |
296273a7 | 91 | amanda_run_recover(sysadm_t, sysadm_r) |
e9c6cda7 CP |
92 | ') |
93 | ||
94 | optional_policy(` | |
296273a7 | 95 | apache_run_helper(sysadm_t, sysadm_r) |
3ad2a285 | 96 | apache_filetrans_home_content(sysadm_t) |
e9c6cda7 CP |
97 | #apache_run_all_scripts(sysadm_t, sysadm_r) |
98 | #apache_domtrans_sys_script(sysadm_t) | |
99 | ') | |
100 | ||
101 | optional_policy(` | |
102 | # cjp: why is this not apm_run_client | |
103 | apm_domtrans_client(sysadm_t) | |
104 | ') | |
105 | ||
296273a7 CP |
106 | optional_policy(` |
107 | auditadm_role_change(sysadm_r) | |
108 | ') | |
109 | ||
e9c6cda7 | 110 | optional_policy(` |
296273a7 | 111 | bind_run_ndc(sysadm_t, sysadm_r) |
e9c6cda7 CP |
112 | ') |
113 | ||
e9c6cda7 | 114 | optional_policy(` |
296273a7 | 115 | bootloader_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
116 | ') |
117 | ||
3eaa9939 DW |
118 | optional_policy(` |
119 | certmonger_dbus_chat(sysadm_t) | |
120 | ') | |
121 | ||
e9c6cda7 | 122 | optional_policy(` |
296273a7 | 123 | certwatch_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
124 | ') |
125 | ||
126 | optional_policy(` | |
296273a7 | 127 | clock_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
128 | ') |
129 | ||
130 | optional_policy(` | |
296273a7 | 131 | clockspeed_run_cli(sysadm_t, sysadm_r) |
e9c6cda7 CP |
132 | ') |
133 | ||
0351e043 DW |
134 | optional_policy(` |
135 | cron_admin_role(sysadm_r, sysadm_t) | |
a9b17c21 | 136 | #cron_role(sysadm_r, sysadm_t) |
0351e043 DW |
137 | ') |
138 | ||
e9c6cda7 | 139 | optional_policy(` |
e200bcc0 | 140 | consoletype_exec(sysadm_t) |
e9c6cda7 CP |
141 | ') |
142 | ||
3eaa9939 DW |
143 | optional_policy(` |
144 | daemonstools_run_start(sysadm_t, sysadm_r) | |
e9c6cda7 CP |
145 | ') |
146 | ||
4ec3fa73 DW |
147 | optional_policy(` |
148 | dbus_role_template(sysadm, sysadm_r, sysadm_t) | |
149 | ') | |
150 | ||
e9c6cda7 | 151 | optional_policy(` |
296273a7 CP |
152 | dcc_run_cdcc(sysadm_t, sysadm_r) |
153 | dcc_run_client(sysadm_t, sysadm_r) | |
154 | dcc_run_dbclean(sysadm_t, sysadm_r) | |
155 | ') | |
156 | ||
4ad28653 | 157 | optional_policy(` |
4ec3fa73 | 158 | ddcprobe_run(sysadm_t, sysadm_r) |
4ad28653 DW |
159 | ') |
160 | ||
296273a7 | 161 | optional_policy(` |
d6091320 | 162 | devicekit_filetrans_named_content(sysadm_t) |
e9c6cda7 CP |
163 | ') |
164 | ||
165 | optional_policy(` | |
166 | dmesg_exec(sysadm_t) | |
167 | ') | |
168 | ||
169 | optional_policy(` | |
296273a7 CP |
170 | dmidecode_run(sysadm_t, sysadm_r) |
171 | ') | |
172 | ||
173 | optional_policy(` | |
174 | dpkg_run(sysadm_t, sysadm_r) | |
e9c6cda7 CP |
175 | ') |
176 | ||
e9c6cda7 | 177 | optional_policy(` |
296273a7 | 178 | firstboot_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
179 | ') |
180 | ||
181 | optional_policy(` | |
296273a7 | 182 | fstools_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
183 | ') |
184 | ||
296273a7 CP |
185 | optional_policy(` |
186 | hostname_run(sysadm_t, sysadm_r) | |
e9c6cda7 CP |
187 | ') |
188 | ||
bc71a042 | 189 | optional_policy(` |
641ac054 | 190 | hadoop_role(sysadm_r, sysadm_t) |
bc71a042 PN |
191 | ') |
192 | ||
e9c6cda7 CP |
193 | optional_policy(` |
194 | # allow system administrator to use the ipsec script to look | |
195 | # at things (e.g., ipsec auto --status) | |
196 | # probably should create an ipsec_admin role for this kind of thing | |
197 | ipsec_exec_mgmt(sysadm_t) | |
198 | ipsec_stream_connect(sysadm_t) | |
199 | # for lsof | |
200 | ipsec_getattr_key_sockets(sysadm_t) | |
3eaa9939 DW |
201 | ipsec_run_setkey(sysadm_t, sysadm_r) |
202 | ipsec_run_racoon(sysadm_t, sysadm_r) | |
203 | ipsec_stream_connect_racoon(sysadm_t) | |
204 | ||
205 | optional_policy(` | |
206 | ipsec_mgmt_dbus_chat(sysadm_t) | |
207 | ') | |
e9c6cda7 CP |
208 | ') |
209 | ||
210 | optional_policy(` | |
296273a7 CP |
211 | iptables_run(sysadm_t, sysadm_r) |
212 | ') | |
213 | ||
f8f030aa DG |
214 | optional_policy(` |
215 | irc_role(sysadm_r, sysadm_t) | |
216 | ') | |
217 | ||
3eaa9939 DW |
218 | optional_policy(` |
219 | kerberos_exec_kadmind(sysadm_t) | |
d141ac47 | 220 | kerberos_filetrans_named_content(sysadm_t) |
3eaa9939 DW |
221 | ') |
222 | ||
e9c6cda7 | 223 | optional_policy(` |
296273a7 | 224 | libs_run_ldconfig(sysadm_t, sysadm_r) |
e9c6cda7 CP |
225 | ') |
226 | ||
e9c6cda7 | 227 | optional_policy(` |
296273a7 | 228 | logrotate_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
229 | ') |
230 | ||
231 | optional_policy(` | |
296273a7 CP |
232 | lpd_run_checkpc(sysadm_t, sysadm_r) |
233 | lpd_role(sysadm_r, sysadm_t) | |
e9c6cda7 CP |
234 | ') |
235 | ||
236 | optional_policy(` | |
296273a7 | 237 | lvm_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
238 | ') |
239 | ||
240 | optional_policy(` | |
296273a7 CP |
241 | modutils_run_depmod(sysadm_t, sysadm_r) |
242 | modutils_run_insmod(sysadm_t, sysadm_r) | |
243 | modutils_run_update_mods(sysadm_t, sysadm_r) | |
2371d8d8 | 244 | modutils_read_module_deps(sysadm_t) |
c66c51f7 | 245 | modules_filetrans_named_content(sysadm_t) |
e9c6cda7 CP |
246 | ') |
247 | ||
248 | optional_policy(` | |
296273a7 | 249 | mount_run(sysadm_t, sysadm_r) |
3eaa9939 | 250 | mount_run_showmount(sysadm_t, sysadm_r) |
296273a7 CP |
251 | ') |
252 | ||
296273a7 CP |
253 | optional_policy(` |
254 | mta_role(sysadm_r, sysadm_t) | |
7c702088 MG |
255 | # this is defined in userdom_common_user_template |
256 | #mta_filetrans_home_content(sysadm_t) | |
780198a1 | 257 | mta_filetrans_admin_home_content(sysadm_t) |
e9c6cda7 CP |
258 | ') |
259 | ||
260 | optional_policy(` | |
261 | munin_stream_connect(sysadm_t) | |
262 | ') | |
263 | ||
264 | optional_policy(` | |
265 | mysql_stream_connect(sysadm_t) | |
266 | ') | |
267 | ||
3eaa9939 DW |
268 | optional_policy(` |
269 | ncftool_run(sysadm_t, sysadm_r) | |
270 | ') | |
271 | ||
e9c6cda7 | 272 | optional_policy(` |
296273a7 CP |
273 | netutils_run(sysadm_t, sysadm_r) |
274 | netutils_run_ping(sysadm_t, sysadm_r) | |
275 | netutils_run_traceroute(sysadm_t, sysadm_r) | |
e9c6cda7 CP |
276 | ') |
277 | ||
0ddcd8f6 DW |
278 | optional_policy(` |
279 | networkmanager_filetrans_named_content(sysadm_t) | |
280 | ') | |
281 | ||
e9c6cda7 CP |
282 | optional_policy(` |
283 | ntp_stub() | |
284 | corenet_udp_bind_ntp_port(sysadm_t) | |
285 | ') | |
286 | ||
e4b8dbb3 | 287 | optional_policy(` |
7e67b9c9 | 288 | nx_filetrans_named_content(sysadm_t) |
e4b8dbb3 DW |
289 | ') |
290 | ||
e9c6cda7 | 291 | optional_policy(` |
296273a7 CP |
292 | oav_run_update(sysadm_t, sysadm_r) |
293 | ') | |
294 | ||
87f49770 MG |
295 | optional_policy(` |
296 | openvpn_run(sysadm_t, sysadm_r) | |
297 | ') | |
298 | ||
296273a7 CP |
299 | optional_policy(` |
300 | pcmcia_run_cardctl(sysadm_t, sysadm_r) | |
e9c6cda7 CP |
301 | ') |
302 | ||
f1b7d092 DG |
303 | optional_policy(` |
304 | polipo_role(sysadm_r, sysadm_t) | |
305 | polipo_named_filetrans_admin_cache_home_dirs(sysadm_t) | |
306 | polipo_named_filetrans_admin_config_home_files(sysadm_t) | |
307 | ') | |
308 | ||
e9c6cda7 | 309 | optional_policy(` |
296273a7 CP |
310 | portage_run(sysadm_t, sysadm_r) |
311 | portage_run_gcc_config(sysadm_t, sysadm_r) | |
e9c6cda7 CP |
312 | ') |
313 | ||
314 | optional_policy(` | |
296273a7 | 315 | portmap_run_helper(sysadm_t, sysadm_r) |
e9c6cda7 CP |
316 | ') |
317 | ||
7dd47a9a DW |
318 | optional_policy(` |
319 | postfix_filetrans_named_content(sysadm_t) | |
320 | ') | |
321 | ||
3eaa9939 DW |
322 | optional_policy(` |
323 | prelink_run(sysadm_t, sysadm_r) | |
324 | ') | |
325 | ||
51b8b4c0 DW |
326 | optional_policy(` |
327 | puppet_run_puppetca(sysadm_t, sysadm_r) | |
328 | ') | |
329 | ||
e9c6cda7 | 330 | optional_policy(` |
296273a7 | 331 | quota_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
332 | ') |
333 | ||
334 | optional_policy(` | |
335 | raid_domtrans_mdadm(sysadm_t) | |
336 | ') | |
337 | ||
338 | optional_policy(` | |
339 | rpc_domtrans_nfsd(sysadm_t) | |
340 | ') | |
341 | ||
342 | optional_policy(` | |
296273a7 | 343 | rpm_run(sysadm_t, sysadm_r) |
4e889ea1 | 344 | rpm_dbus_chat(sysadm_t, sysadm_r) |
296273a7 CP |
345 | ') |
346 | ||
e9c6cda7 CP |
347 | optional_policy(` |
348 | rsync_exec(sysadm_t) | |
349 | ') | |
350 | ||
351 | optional_policy(` | |
296273a7 CP |
352 | samba_run_net(sysadm_t, sysadm_r) |
353 | samba_run_winbind_helper(sysadm_t, sysadm_r) | |
e9c6cda7 CP |
354 | ') |
355 | ||
b2f8897d HC |
356 | optional_policy(` |
357 | samhain_admin(sysadm_t) | |
358 | ') | |
359 | ||
e9c6cda7 | 360 | optional_policy(` |
296273a7 | 361 | screen_role_template(sysadm, sysadm_r, sysadm_t) |
e9c6cda7 CP |
362 | ') |
363 | ||
364 | optional_policy(` | |
296273a7 | 365 | secadm_role_change(sysadm_r) |
e9c6cda7 CP |
366 | ') |
367 | ||
7c525b65 DW |
368 | optional_policy(` |
369 | setroubleshoot_stream_connect(sysadm_t) | |
370 | setroubleshoot_dbus_chat(sysadm_t) | |
371 | setroubleshoot_dbus_chat_fixit(sysadm_t) | |
372 | ') | |
373 | ||
e9c6cda7 | 374 | optional_policy(` |
296273a7 CP |
375 | seutil_run_setfiles(sysadm_t, sysadm_r) |
376 | seutil_run_runinit(sysadm_t, sysadm_r) | |
e9c6cda7 CP |
377 | ') |
378 | ||
3eaa9939 DW |
379 | optional_policy(` |
380 | shutdown_run(sysadm_t, sysadm_r) | |
381 | ') | |
382 | ||
e9c6cda7 | 383 | optional_policy(` |
296273a7 CP |
384 | ssh_role_template(sysadm, sysadm_r, sysadm_t) |
385 | ') | |
386 | ||
387 | optional_policy(` | |
388 | staff_role_change(sysadm_r) | |
389 | ') | |
390 | ||
391 | optional_policy(` | |
392 | su_role_template(sysadm, sysadm_r, sysadm_t) | |
393 | ') | |
394 | ||
395 | optional_policy(` | |
396 | sudo_role_template(sysadm, sysadm_r, sysadm_t) | |
397 | ') | |
398 | ||
399 | optional_policy(` | |
400 | sysnet_run_ifconfig(sysadm_t, sysadm_r) | |
401 | sysnet_run_dhcpc(sysadm_t, sysadm_r) | |
402 | ') | |
403 | ||
d7441a41 DW |
404 | optional_policy(` |
405 | systemd_passwd_agent_run(sysadm_t, sysadm_r) | |
faaa4a27 DW |
406 | systemd_config_all_services(sysadm_t) |
407 | systemd_manage_all_unit_files(sysadm_t) | |
408 | systemd_manage_all_unit_lnk_files(sysadm_t) | |
d7441a41 DW |
409 | ') |
410 | ||
296273a7 CP |
411 | optional_policy(` |
412 | tripwire_run_siggen(sysadm_t, sysadm_r) | |
413 | tripwire_run_tripwire(sysadm_t, sysadm_r) | |
414 | tripwire_run_twadmin(sysadm_t, sysadm_r) | |
415 | tripwire_run_twprint(sysadm_t, sysadm_r) | |
416 | ') | |
417 | ||
e9c6cda7 CP |
418 | optional_policy(` |
419 | tzdata_domtrans(sysadm_t) | |
420 | ') | |
421 | ||
422 | optional_policy(` | |
b34db7a8 | 423 | unconfined_domtrans(sysadm_t) |
e9c6cda7 CP |
424 | ') |
425 | ||
9427adb7 MG |
426 | optional_policy(` |
427 | udev_run(sysadm_t, sysadm_r) | |
428 | ') | |
429 | ||
e9c6cda7 | 430 | optional_policy(` |
296273a7 CP |
431 | unprivuser_role_change(sysadm_r) |
432 | ') | |
433 | ||
434 | optional_policy(` | |
435 | usbmodules_run(sysadm_t, sysadm_r) | |
436 | ') | |
e9c6cda7 | 437 | |
296273a7 CP |
438 | optional_policy(` |
439 | usermanage_run_admin_passwd(sysadm_t, sysadm_r) | |
440 | usermanage_run_groupadd(sysadm_t, sysadm_r) | |
441 | usermanage_run_useradd(sysadm_t, sysadm_r) | |
442 | ') | |
443 | ||
3eaa9939 | 444 | optional_policy(` |
7c525b65 DW |
445 | virt_stream_connect(sysadm_t) |
446 | virt_filetrans_home_content(sysadm_t) | |
e9c6cda7 CP |
447 | ') |
448 | ||
449 | optional_policy(` | |
7c525b65 | 450 | vlock_run(sysadm_t, sysadm_r) |
e9c6cda7 CP |
451 | ') |
452 | ||
3eaa9939 | 453 | optional_policy(` |
7c525b65 | 454 | vpn_run(sysadm_t, sysadm_r) |
3eaa9939 DW |
455 | ') |
456 | ||
d35e2ee0 | 457 | optional_policy(` |
7c525b65 | 458 | webalizer_run(sysadm_t, sysadm_r) |
d35e2ee0 HC |
459 | ') |
460 | ||
e9c6cda7 | 461 | optional_policy(` |
296273a7 | 462 | xserver_role(sysadm_r, sysadm_t) |
e9c6cda7 CP |
463 | ') |
464 | ||
3eaa9939 DW |
465 | optional_policy(` |
466 | zebra_stream_connect(sysadm_t) | |
c87e1502 JS |
467 | ') |
468 | ||
2968e068 DW |
469 | ifndef(`distro_redhat',` |
470 | optional_policy(` | |
471 | apache_role(sysadm_r, sysadm_t) | |
472 | ') | |
473 | optional_policy(` | |
474 | auth_role(sysadm_r, sysadm_t) | |
475 | ') | |
3eaa9939 | 476 | |
2968e068 DW |
477 | optional_policy(` |
478 | bluetooth_role(sysadm_r, sysadm_t) | |
479 | ') | |
480 | ||
481 | optional_policy(` | |
482 | cdrecord_role(sysadm_r, sysadm_t) | |
483 | ') | |
484 | ||
2968e068 DW |
485 | optional_policy(` |
486 | dbus_role_template(sysadm, sysadm_r, sysadm_t) | |
487 | ') | |
488 | ||
2968e068 DW |
489 | optional_policy(` |
490 | gpg_role(sysadm_r, sysadm_t) | |
491 | ') | |
492 | ||
2968e068 DW |
493 | optional_policy(` |
494 | java_role(sysadm_r, sysadm_t) | |
495 | ') | |
496 | ||
497 | optional_policy(` | |
498 | lockdev_role(sysadm_r, sysadm_t) | |
499 | ') | |
500 | ||
dd323694 DW |
501 | optional_policy(` |
502 | mock_admin(sysadm_t) | |
503 | ') | |
504 | ||
2968e068 DW |
505 | optional_policy(` |
506 | mplayer_role(sysadm_r, sysadm_t) | |
507 | ') | |
508 | ||
509 | optional_policy(` | |
510 | pyzor_role(sysadm_r, sysadm_t) | |
511 | ') | |
512 | ||
513 | optional_policy(` | |
514 | razor_role(sysadm_r, sysadm_t) | |
515 | ') | |
516 | ||
517 | optional_policy(` | |
518 | rssh_role(sysadm_r, sysadm_t) | |
519 | ') | |
520 | ||
521 | optional_policy(` | |
522 | spamassassin_role(sysadm_r, sysadm_t) | |
523 | ') | |
524 | ||
2968e068 DW |
525 | optional_policy(` |
526 | uml_role(sysadm_r, sysadm_t) | |
527 | ') | |
528 | ||
529 | optional_policy(` | |
530 | userhelper_role_template(sysadm, sysadm_r, sysadm_t) | |
531 | ') | |
532 | ||
533 | optional_policy(` | |
534 | vmware_role(sysadm_r, sysadm_t) | |
535 | ') | |
536 | ||
537 | optional_policy(` | |
538 | wireshark_role(sysadm_r, sysadm_t) | |
539 | ') | |
540 | ||
541 | optional_policy(` | |
542 | xserver_role(sysadm_r, sysadm_t) | |
543 | ') | |
544 | ') |