1 policy_module(sysadm, 2.2.1)
3 ########################################
10 userdom_admin_user_template(sysadm)
13 userdom_security_admin_template(sysadm_t, sysadm_r)
16 ########################################
20 kernel_read_fs_sysctls(sysadm_t)
22 corecmd_exec_shell(sysadm_t)
24 domain_dontaudit_read_all_domains_state(sysadm_t)
26 files_read_kernel_modules(sysadm_t)
28 dev_filetrans_all_named_dev(sysadm_t)
29 storage_filetrans_all_named_dev(sysadm_t)
30 term_filetrans_all_named_dev(sysadm_t)
32 mls_process_read_up(sysadm_t)
33 mls_file_read_to_clearance(sysadm_t)
34 mls_process_write_to_clearance(sysadm_t)
36 storage_setattr_fixed_disk_dev(sysadm_t)
38 ubac_process_exempt(sysadm_t)
39 ubac_file_exempt(sysadm_t)
40 ubac_fd_exempt(sysadm_t)
42 application_exec(sysadm_t)
45 init_exec_script_files(sysadm_t)
46 init_dbus_chat(sysadm_t)
47 init_script_role_transition(sysadm_r)
49 miscfiles_filetrans_named_content(sysadm_t)
50 miscfiles_read_hwdata(sysadm_t)
52 sysnet_filetrans_named_content(sysadm_t)
54 # Add/remove user home directories
55 userdom_manage_user_home_dirs(sysadm_t)
56 userdom_home_filetrans_user_home_dir(sysadm_t)
57 userdom_manage_tmp_role(sysadm_r, sysadm_t)
60 alsa_filetrans_named_content(sysadm_t)
64 ssh_filetrans_admin_home_content(sysadm_t)
67 ifdef(`direct_sysadm_daemon',`
69 init_run_daemon(sysadm_t, sysadm_r)
72 ifdef(`distro_gentoo',`
74 seutil_init_script_run_runinit(sysadm_t, sysadm_r)
80 logging_manage_audit_log(sysadm_t)
81 logging_manage_audit_config(sysadm_t)
82 logging_run_auditctl(sysadm_t, sysadm_r)
83 logging_stream_connect_syslog(sysadm_t)
86 tunable_policy(`deny_ptrace',`',`
87 domain_ptrace_all_domains(sysadm_t)
91 amanda_run_recover(sysadm_t, sysadm_r)
95 apache_run_helper(sysadm_t, sysadm_r)
96 apache_filetrans_home_content(sysadm_t)
97 #apache_run_all_scripts(sysadm_t, sysadm_r)
98 #apache_domtrans_sys_script(sysadm_t)
102 # cjp: why is this not apm_run_client
103 apm_domtrans_client(sysadm_t)
107 auditadm_role_change(sysadm_r)
111 bind_run_ndc(sysadm_t, sysadm_r)
115 bootloader_run(sysadm_t, sysadm_r)
119 certmonger_dbus_chat(sysadm_t)
123 certwatch_run(sysadm_t, sysadm_r)
127 clock_run(sysadm_t, sysadm_r)
131 clockspeed_run_cli(sysadm_t, sysadm_r)
135 cron_admin_role(sysadm_r, sysadm_t)
136 #cron_role(sysadm_r, sysadm_t)
140 consoletype_exec(sysadm_t)
144 daemonstools_run_start(sysadm_t, sysadm_r)
148 dbus_role_template(sysadm, sysadm_r, sysadm_t)
152 dcc_run_cdcc(sysadm_t, sysadm_r)
153 dcc_run_client(sysadm_t, sysadm_r)
154 dcc_run_dbclean(sysadm_t, sysadm_r)
158 ddcprobe_run(sysadm_t, sysadm_r)
162 devicekit_filetrans_named_content(sysadm_t)
170 dmidecode_run(sysadm_t, sysadm_r)
174 dpkg_run(sysadm_t, sysadm_r)
178 firstboot_run(sysadm_t, sysadm_r)
182 fstools_run(sysadm_t, sysadm_r)
186 hostname_run(sysadm_t, sysadm_r)
190 hadoop_role(sysadm_r, sysadm_t)
194 # allow system administrator to use the ipsec script to look
195 # at things (e.g., ipsec auto --status)
196 # probably should create an ipsec_admin role for this kind of thing
197 ipsec_exec_mgmt(sysadm_t)
198 ipsec_stream_connect(sysadm_t)
200 ipsec_getattr_key_sockets(sysadm_t)
201 ipsec_run_setkey(sysadm_t, sysadm_r)
202 ipsec_run_racoon(sysadm_t, sysadm_r)
203 ipsec_stream_connect_racoon(sysadm_t)
206 ipsec_mgmt_dbus_chat(sysadm_t)
211 iptables_run(sysadm_t, sysadm_r)
215 irc_role(sysadm_r, sysadm_t)
219 kerberos_exec_kadmind(sysadm_t)
220 kerberos_filetrans_named_content(sysadm_t)
224 libs_run_ldconfig(sysadm_t, sysadm_r)
228 logrotate_run(sysadm_t, sysadm_r)
232 lpd_run_checkpc(sysadm_t, sysadm_r)
233 lpd_role(sysadm_r, sysadm_t)
237 lvm_run(sysadm_t, sysadm_r)
241 modutils_run_depmod(sysadm_t, sysadm_r)
242 modutils_run_insmod(sysadm_t, sysadm_r)
243 modutils_run_update_mods(sysadm_t, sysadm_r)
244 modutils_read_module_deps(sysadm_t)
245 modules_filetrans_named_content(sysadm_t)
249 mount_run(sysadm_t, sysadm_r)
250 mount_run_showmount(sysadm_t, sysadm_r)
254 mta_role(sysadm_r, sysadm_t)
255 # this is defined in userdom_common_user_template
256 #mta_filetrans_home_content(sysadm_t)
257 mta_filetrans_admin_home_content(sysadm_t)
261 munin_stream_connect(sysadm_t)
265 mysql_stream_connect(sysadm_t)
269 ncftool_run(sysadm_t, sysadm_r)
273 netutils_run(sysadm_t, sysadm_r)
274 netutils_run_ping(sysadm_t, sysadm_r)
275 netutils_run_traceroute(sysadm_t, sysadm_r)
279 networkmanager_filetrans_named_content(sysadm_t)
284 corenet_udp_bind_ntp_port(sysadm_t)
288 nx_filetrans_named_content(sysadm_t)
292 oav_run_update(sysadm_t, sysadm_r)
296 openvpn_run(sysadm_t, sysadm_r)
300 pcmcia_run_cardctl(sysadm_t, sysadm_r)
304 polipo_role(sysadm_r, sysadm_t)
305 polipo_named_filetrans_admin_cache_home_dirs(sysadm_t)
306 polipo_named_filetrans_admin_config_home_files(sysadm_t)
310 portage_run(sysadm_t, sysadm_r)
311 portage_run_gcc_config(sysadm_t, sysadm_r)
315 portmap_run_helper(sysadm_t, sysadm_r)
319 postfix_filetrans_named_content(sysadm_t)
323 prelink_run(sysadm_t, sysadm_r)
327 puppet_run_puppetca(sysadm_t, sysadm_r)
331 quota_run(sysadm_t, sysadm_r)
335 raid_domtrans_mdadm(sysadm_t)
339 rpc_domtrans_nfsd(sysadm_t)
343 rpm_run(sysadm_t, sysadm_r)
344 rpm_dbus_chat(sysadm_t, sysadm_r)
352 samba_run_net(sysadm_t, sysadm_r)
353 samba_run_winbind_helper(sysadm_t, sysadm_r)
357 samhain_admin(sysadm_t)
361 screen_role_template(sysadm, sysadm_r, sysadm_t)
365 secadm_role_change(sysadm_r)
369 setroubleshoot_stream_connect(sysadm_t)
370 setroubleshoot_dbus_chat(sysadm_t)
371 setroubleshoot_dbus_chat_fixit(sysadm_t)
375 seutil_run_setfiles(sysadm_t, sysadm_r)
376 seutil_run_runinit(sysadm_t, sysadm_r)
380 shutdown_run(sysadm_t, sysadm_r)
384 ssh_role_template(sysadm, sysadm_r, sysadm_t)
388 staff_role_change(sysadm_r)
392 su_role_template(sysadm, sysadm_r, sysadm_t)
396 sudo_role_template(sysadm, sysadm_r, sysadm_t)
400 sysnet_run_ifconfig(sysadm_t, sysadm_r)
401 sysnet_run_dhcpc(sysadm_t, sysadm_r)
405 systemd_passwd_agent_run(sysadm_t, sysadm_r)
406 systemd_config_all_services(sysadm_t)
407 systemd_manage_all_unit_files(sysadm_t)
408 systemd_manage_all_unit_lnk_files(sysadm_t)
412 tripwire_run_siggen(sysadm_t, sysadm_r)
413 tripwire_run_tripwire(sysadm_t, sysadm_r)
414 tripwire_run_twadmin(sysadm_t, sysadm_r)
415 tripwire_run_twprint(sysadm_t, sysadm_r)
419 tzdata_domtrans(sysadm_t)
423 unconfined_domtrans(sysadm_t)
427 udev_run(sysadm_t, sysadm_r)
431 unprivuser_role_change(sysadm_r)
435 usbmodules_run(sysadm_t, sysadm_r)
439 usermanage_run_admin_passwd(sysadm_t, sysadm_r)
440 usermanage_run_groupadd(sysadm_t, sysadm_r)
441 usermanage_run_useradd(sysadm_t, sysadm_r)
445 virt_stream_connect(sysadm_t)
446 virt_filetrans_home_content(sysadm_t)
450 vlock_run(sysadm_t, sysadm_r)
454 vpn_run(sysadm_t, sysadm_r)
458 webalizer_run(sysadm_t, sysadm_r)
462 xserver_role(sysadm_r, sysadm_t)
466 zebra_stream_connect(sysadm_t)
469 ifndef(`distro_redhat',`
471 apache_role(sysadm_r, sysadm_t)
474 auth_role(sysadm_r, sysadm_t)
478 bluetooth_role(sysadm_r, sysadm_t)
482 cdrecord_role(sysadm_r, sysadm_t)
486 dbus_role_template(sysadm, sysadm_r, sysadm_t)
490 gpg_role(sysadm_r, sysadm_t)
494 java_role(sysadm_r, sysadm_t)
498 lockdev_role(sysadm_r, sysadm_t)
506 mplayer_role(sysadm_r, sysadm_t)
510 pyzor_role(sysadm_r, sysadm_t)
514 razor_role(sysadm_r, sysadm_t)
518 rssh_role(sysadm_r, sysadm_t)
522 spamassassin_role(sysadm_r, sysadm_t)
526 uml_role(sysadm_r, sysadm_t)
530 userhelper_role_template(sysadm, sysadm_r, sysadm_t)
534 vmware_role(sysadm_r, sysadm_t)
538 wireshark_role(sysadm_r, sysadm_t)
542 xserver_role(sysadm_r, sysadm_t)