policy/modules/roles/sysadm.te

   1 policy_module(sysadm, 2.2.1)
   2
   3 ########################################
   4 #
   5 # Declarations
   6 #
   7
   8 role sysadm_r;
   9
  10 userdom_admin_user_template(sysadm)
  11
  12 ifndef(`enable_mls',`
  13         userdom_security_admin_template(sysadm_t, sysadm_r)
  14 ')
  15
  16 ########################################
  17 #
  18 # Local policy
  19 #
  20 kernel_read_fs_sysctls(sysadm_t)
  21
  22 corecmd_exec_shell(sysadm_t)
  23
  24 domain_dontaudit_read_all_domains_state(sysadm_t)
  25
  26 files_read_kernel_modules(sysadm_t)
  27
  28 dev_filetrans_all_named_dev(sysadm_t)
  29 storage_filetrans_all_named_dev(sysadm_t)
  30 term_filetrans_all_named_dev(sysadm_t)
  31
  32 mls_process_read_up(sysadm_t)
  33 mls_file_read_to_clearance(sysadm_t)
  34 mls_process_write_to_clearance(sysadm_t)
  35
  36 storage_setattr_fixed_disk_dev(sysadm_t)
  37
  38 ubac_process_exempt(sysadm_t)
  39 ubac_file_exempt(sysadm_t)
  40 ubac_fd_exempt(sysadm_t)
  41
  42 application_exec(sysadm_t)
  43
  44 init_exec(sysadm_t)
  45 init_exec_script_files(sysadm_t)
  46 init_dbus_chat(sysadm_t)
  47 init_script_role_transition(sysadm_r)
  48
  49 miscfiles_filetrans_named_content(sysadm_t)
  50 miscfiles_read_hwdata(sysadm_t)
  51
  52 sysnet_filetrans_named_content(sysadm_t)
  53
  54 # Add/remove user home directories
  55 userdom_manage_user_home_dirs(sysadm_t)
  56 userdom_home_filetrans_user_home_dir(sysadm_t)
  57 userdom_manage_tmp_role(sysadm_r, sysadm_t)
  58
  59 optional_policy(`
  60         alsa_filetrans_named_content(sysadm_t)
  61 ')
  62
  63 optional_policy(`
  64         ssh_filetrans_admin_home_content(sysadm_t)
  65 ')
  66
  67 ifdef(`direct_sysadm_daemon',`
  68         optional_policy(`
  69                 init_run_daemon(sysadm_t, sysadm_r)
  70         ')
  71 ',`
  72         ifdef(`distro_gentoo',`
  73                 optional_policy(`
  74                         seutil_init_script_run_runinit(sysadm_t, sysadm_r)
  75                 ')
  76         ')
  77 ')
  78
  79 ifndef(`enable_mls',`
  80         logging_manage_audit_log(sysadm_t)
  81         logging_manage_audit_config(sysadm_t)
  82         logging_run_auditctl(sysadm_t, sysadm_r)
  83         logging_stream_connect_syslog(sysadm_t)
  84 ')
  85
  86 tunable_policy(`deny_ptrace',`',`
  87         domain_ptrace_all_domains(sysadm_t)
  88 ')
  89
  90 optional_policy(`
  91         amanda_run_recover(sysadm_t, sysadm_r)
  92 ')
  93
  94 optional_policy(`
  95         apache_run_helper(sysadm_t, sysadm_r)
  96         apache_filetrans_home_content(sysadm_t)
  97         #apache_run_all_scripts(sysadm_t, sysadm_r)
  98         #apache_domtrans_sys_script(sysadm_t)
  99 ')
 100
 101 optional_policy(`
 102         # cjp: why is this not apm_run_client
 103         apm_domtrans_client(sysadm_t)
 104 ')
 105
 106 optional_policy(`
 107         auditadm_role_change(sysadm_r)
 108 ')
 109
 110 optional_policy(`
 111         bind_run_ndc(sysadm_t, sysadm_r)
 112 ')
 113
 114 optional_policy(`
 115         bootloader_run(sysadm_t, sysadm_r)
 116 ')
 117
 118 optional_policy(`
 119         certmonger_dbus_chat(sysadm_t)
 120 ')
 121
 122 optional_policy(`
 123         certwatch_run(sysadm_t, sysadm_r)
 124 ')
 125
 126 optional_policy(`
 127         clock_run(sysadm_t, sysadm_r)
 128 ')
 129
 130 optional_policy(`
 131         clockspeed_run_cli(sysadm_t, sysadm_r)
 132 ')
 133
 134 optional_policy(`
 135         cron_admin_role(sysadm_r, sysadm_t)
 136         #cron_role(sysadm_r, sysadm_t)
 137 ')
 138
 139 optional_policy(`
 140         consoletype_exec(sysadm_t)
 141 ')
 142
 143 optional_policy(`
 144     daemonstools_run_start(sysadm_t, sysadm_r)
 145 ')
 146
 147 optional_policy(`
 148         dbus_role_template(sysadm, sysadm_r, sysadm_t)
 149 ')
 150
 151 optional_policy(`
 152         dcc_run_cdcc(sysadm_t, sysadm_r)
 153         dcc_run_client(sysadm_t, sysadm_r)
 154         dcc_run_dbclean(sysadm_t, sysadm_r)
 155 ')
 156
 157 optional_policy(`
 158         ddcprobe_run(sysadm_t, sysadm_r)
 159 ')
 160
 161 optional_policy(`
 162         devicekit_filetrans_named_content(sysadm_t)
 163 ')
 164
 165 optional_policy(`
 166         dmesg_exec(sysadm_t)
 167 ')
 168
 169 optional_policy(`
 170         dmidecode_run(sysadm_t, sysadm_r)
 171 ')
 172
 173 optional_policy(`
 174         dpkg_run(sysadm_t, sysadm_r)
 175 ')
 176
 177 optional_policy(`
 178         firstboot_run(sysadm_t, sysadm_r)
 179 ')
 180
 181 optional_policy(`
 182         fstools_run(sysadm_t, sysadm_r)
 183 ')
 184
 185 optional_policy(`
 186         hostname_run(sysadm_t, sysadm_r)
 187 ')
 188
 189 optional_policy(`
 190         hadoop_role(sysadm_r, sysadm_t)
 191 ')
 192
 193 optional_policy(`
 194         # allow system administrator to use the ipsec script to look
 195         # at things (e.g., ipsec auto --status)
 196         # probably should create an ipsec_admin role for this kind of thing
 197         ipsec_exec_mgmt(sysadm_t)
 198         ipsec_stream_connect(sysadm_t)
 199         # for lsof
 200         ipsec_getattr_key_sockets(sysadm_t)
 201         ipsec_run_setkey(sysadm_t, sysadm_r)
 202         ipsec_run_racoon(sysadm_t, sysadm_r)
 203         ipsec_stream_connect_racoon(sysadm_t)
 204
 205         optional_policy(`
 206                 ipsec_mgmt_dbus_chat(sysadm_t)
 207         ')
 208 ')
 209
 210 optional_policy(`
 211         iptables_run(sysadm_t, sysadm_r)
 212 ')
 213
 214 optional_policy(`
 215         irc_role(sysadm_r, sysadm_t)
 216 ')
 217
 218 optional_policy(`
 219         kerberos_exec_kadmind(sysadm_t)
 220         kerberos_filetrans_named_content(sysadm_t)
 221 ')
 222
 223 optional_policy(`
 224         libs_run_ldconfig(sysadm_t, sysadm_r)
 225 ')
 226
 227 optional_policy(`
 228         logrotate_run(sysadm_t, sysadm_r)
 229 ')
 230
 231 optional_policy(`
 232         lpd_run_checkpc(sysadm_t, sysadm_r)
 233         lpd_role(sysadm_r, sysadm_t)
 234 ')
 235
 236 optional_policy(`
 237         lvm_run(sysadm_t, sysadm_r)
 238 ')
 239
 240 optional_policy(`
 241         modutils_run_depmod(sysadm_t, sysadm_r)
 242         modutils_run_insmod(sysadm_t, sysadm_r)
 243         modutils_run_update_mods(sysadm_t, sysadm_r)
 244         modutils_read_module_deps(sysadm_t)
 245         modules_filetrans_named_content(sysadm_t)
 246 ')
 247
 248 optional_policy(`
 249         mount_run(sysadm_t, sysadm_r)
 250         mount_run_showmount(sysadm_t, sysadm_r)
 251 ')
 252
 253 optional_policy(`
 254         mta_role(sysadm_r, sysadm_t)
 255         # this is defined in userdom_common_user_template
 256         #mta_filetrans_home_content(sysadm_t)
 257         mta_filetrans_admin_home_content(sysadm_t)
 258 ')
 259
 260 optional_policy(`
 261         munin_stream_connect(sysadm_t)
 262 ')
 263
 264 optional_policy(`
 265         mysql_stream_connect(sysadm_t)
 266 ')
 267
 268 optional_policy(`
 269         ncftool_run(sysadm_t, sysadm_r)
 270 ')
 271
 272 optional_policy(`
 273         netutils_run(sysadm_t, sysadm_r)
 274         netutils_run_ping(sysadm_t, sysadm_r)
 275         netutils_run_traceroute(sysadm_t, sysadm_r)
 276 ')
 277
 278 optional_policy(`
 279         networkmanager_filetrans_named_content(sysadm_t)
 280 ')
 281
 282 optional_policy(`
 283         ntp_stub()
 284         corenet_udp_bind_ntp_port(sysadm_t)
 285 ')
 286
 287 optional_policy(`
 288         nx_filetrans_named_content(sysadm_t)
 289 ')
 290
 291 optional_policy(`
 292         oav_run_update(sysadm_t, sysadm_r)
 293 ')
 294
 295 optional_policy(`
 296         openvpn_run(sysadm_t, sysadm_r)
 297 ')
 298
 299 optional_policy(`
 300         pcmcia_run_cardctl(sysadm_t, sysadm_r)
 301 ')
 302
 303 optional_policy(`
 304         polipo_role(sysadm_r, sysadm_t)
 305         polipo_named_filetrans_admin_cache_home_dirs(sysadm_t)
 306         polipo_named_filetrans_admin_config_home_files(sysadm_t)
 307 ')
 308
 309 optional_policy(`
 310         portage_run(sysadm_t, sysadm_r)
 311         portage_run_gcc_config(sysadm_t, sysadm_r)
 312 ')
 313
 314 optional_policy(`
 315         portmap_run_helper(sysadm_t, sysadm_r)
 316 ')
 317
 318 optional_policy(`
 319         postfix_filetrans_named_content(sysadm_t)
 320 ')
 321
 322 optional_policy(`
 323         prelink_run(sysadm_t, sysadm_r)
 324 ')
 325
 326 optional_policy(`
 327         puppet_run_puppetca(sysadm_t, sysadm_r)
 328 ')
 329
 330 optional_policy(`
 331         quota_run(sysadm_t, sysadm_r)
 332 ')
 333
 334 optional_policy(`
 335         raid_domtrans_mdadm(sysadm_t)
 336 ')
 337
 338 optional_policy(`
 339         rpc_domtrans_nfsd(sysadm_t)
 340 ')
 341
 342 optional_policy(`
 343         rpm_run(sysadm_t, sysadm_r)
 344         rpm_dbus_chat(sysadm_t, sysadm_r)
 345 ')
 346
 347 optional_policy(`
 348         rsync_exec(sysadm_t)
 349 ')
 350
 351 optional_policy(`
 352         samba_run_net(sysadm_t, sysadm_r)
 353         samba_run_winbind_helper(sysadm_t, sysadm_r)
 354 ')
 355
 356 optional_policy(`
 357         samhain_admin(sysadm_t)
 358 ')
 359
 360 optional_policy(`
 361         screen_role_template(sysadm, sysadm_r, sysadm_t)
 362 ')
 363
 364 optional_policy(`
 365         secadm_role_change(sysadm_r)
 366 ')
 367
 368 optional_policy(`
 369         setroubleshoot_stream_connect(sysadm_t)
 370         setroubleshoot_dbus_chat(sysadm_t)
 371         setroubleshoot_dbus_chat_fixit(sysadm_t)
 372 ')
 373
 374 optional_policy(`
 375         seutil_run_setfiles(sysadm_t, sysadm_r)
 376         seutil_run_runinit(sysadm_t, sysadm_r)
 377 ')
 378
 379 optional_policy(`
 380         shutdown_run(sysadm_t, sysadm_r)
 381 ')
 382
 383 optional_policy(`
 384         ssh_role_template(sysadm, sysadm_r, sysadm_t)
 385 ')
 386
 387 optional_policy(`
 388         staff_role_change(sysadm_r)
 389 ')
 390
 391 optional_policy(`
 392         su_role_template(sysadm, sysadm_r, sysadm_t)
 393 ')
 394
 395 optional_policy(`
 396         sudo_role_template(sysadm, sysadm_r, sysadm_t)
 397 ')
 398
 399 optional_policy(`
 400         sysnet_run_ifconfig(sysadm_t, sysadm_r)
 401         sysnet_run_dhcpc(sysadm_t, sysadm_r)
 402 ')
 403
 404 optional_policy(`
 405         systemd_passwd_agent_run(sysadm_t, sysadm_r)
 406         systemd_config_all_services(sysadm_t)
 407         systemd_manage_all_unit_files(sysadm_t)
 408         systemd_manage_all_unit_lnk_files(sysadm_t)
 409 ')
 410
 411 optional_policy(`
 412         tripwire_run_siggen(sysadm_t, sysadm_r)
 413         tripwire_run_tripwire(sysadm_t, sysadm_r)
 414         tripwire_run_twadmin(sysadm_t, sysadm_r)
 415         tripwire_run_twprint(sysadm_t, sysadm_r)
 416 ')
 417
 418 optional_policy(`
 419         tzdata_domtrans(sysadm_t)
 420 ')
 421
 422 optional_policy(`
 423         unconfined_domtrans(sysadm_t)
 424 ')
 425
 426 optional_policy(`
 427         udev_run(sysadm_t, sysadm_r)
 428 ')
 429
 430 optional_policy(`
 431         unprivuser_role_change(sysadm_r)
 432 ')
 433
 434 optional_policy(`
 435         usbmodules_run(sysadm_t, sysadm_r)
 436 ')
 437
 438 optional_policy(`
 439         usermanage_run_admin_passwd(sysadm_t, sysadm_r)
 440         usermanage_run_groupadd(sysadm_t, sysadm_r)
 441         usermanage_run_useradd(sysadm_t, sysadm_r)
 442 ')
 443
 444 optional_policy(`
 445         virt_stream_connect(sysadm_t)
 446         virt_filetrans_home_content(sysadm_t)
 447 ')
 448
 449 optional_policy(`
 450         vlock_run(sysadm_t, sysadm_r)
 451 ')
 452
 453 optional_policy(`
 454         vpn_run(sysadm_t, sysadm_r)
 455 ')
 456
 457 optional_policy(`
 458         webalizer_run(sysadm_t, sysadm_r)
 459 ')
 460
 461 optional_policy(`
 462         xserver_role(sysadm_r, sysadm_t)
 463 ')
 464
 465 optional_policy(`
 466         zebra_stream_connect(sysadm_t)
 467 ')
 468
 469 ifndef(`distro_redhat',`
 470         optional_policy(`
 471                 apache_role(sysadm_r, sysadm_t)
 472         ')
 473         optional_policy(`
 474                 auth_role(sysadm_r, sysadm_t)
 475         ')
 476
 477         optional_policy(`
 478                 bluetooth_role(sysadm_r, sysadm_t)
 479         ')
 480
 481         optional_policy(`
 482                 cdrecord_role(sysadm_r, sysadm_t)
 483         ')
 484
 485         optional_policy(`
 486                 dbus_role_template(sysadm, sysadm_r, sysadm_t)
 487         ')
 488
 489         optional_policy(`
 490                 gpg_role(sysadm_r, sysadm_t)
 491         ')
 492
 493         optional_policy(`
 494                 java_role(sysadm_r, sysadm_t)
 495         ')
 496
 497         optional_policy(`
 498                 lockdev_role(sysadm_r, sysadm_t)
 499         ')
 500
 501         optional_policy(`
 502                 mock_admin(sysadm_t)
 503         ')
 504
 505         optional_policy(`
 506                 mplayer_role(sysadm_r, sysadm_t)
 507         ')
 508
 509         optional_policy(`
 510                 pyzor_role(sysadm_r, sysadm_t)
 511         ')
 512
 513         optional_policy(`
 514                 razor_role(sysadm_r, sysadm_t)
 515         ')
 516
 517         optional_policy(`
 518                 rssh_role(sysadm_r, sysadm_t)
 519         ')
 520
 521         optional_policy(`
 522                 spamassassin_role(sysadm_r, sysadm_t)
 523         ')
 524
 525         optional_policy(`
 526                 uml_role(sysadm_r, sysadm_t)
 527         ')
 528
 529         optional_policy(`
 530                 userhelper_role_template(sysadm, sysadm_r, sysadm_t)
 531         ')
 532
 533         optional_policy(`
 534                 vmware_role(sysadm_r, sysadm_t)
 535         ')
 536
 537         optional_policy(`
 538                 wireshark_role(sysadm_r, sysadm_t)
 539         ')
 540
 541         optional_policy(`
 542                 xserver_role(sysadm_r, sysadm_t)
 543         ')
 544 ')