]> git.ipfire.org Git - people/stevee/selinux-policy.git/blob - policy/modules/roles/sysadm.te
projects / people / stevee / selinux-policy.git / blob
? search:


ca0d7e93b6dd6b8d214da56a6762dcb1fe3e0067
[people/stevee/selinux-policy.git] / policy / modules / roles / sysadm.te
1 policy_module(sysadm, 2.2.1)
2
3 ########################################
4 #
5 # Declarations
6 #
7
8 role sysadm_r;
9
10 userdom_admin_user_template(sysadm)
11
12 ifndef(`enable_mls',`
13 userdom_security_admin_template(sysadm_t, sysadm_r)
14 ')
15
16 ########################################
17 #
18 # Local policy
19 #
20 kernel_read_fs_sysctls(sysadm_t)
21
22 corecmd_exec_shell(sysadm_t)
23
24 domain_dontaudit_read_all_domains_state(sysadm_t)
25
26 files_read_kernel_modules(sysadm_t)
27
28 dev_filetrans_all_named_dev(sysadm_t)
29 storage_filetrans_all_named_dev(sysadm_t)
30 term_filetrans_all_named_dev(sysadm_t)
31
32 mls_process_read_up(sysadm_t)
33 mls_file_read_to_clearance(sysadm_t)
34 mls_process_write_to_clearance(sysadm_t)
35
36 storage_setattr_fixed_disk_dev(sysadm_t)
37
38 ubac_process_exempt(sysadm_t)
39 ubac_file_exempt(sysadm_t)
40 ubac_fd_exempt(sysadm_t)
41
42 application_exec(sysadm_t)
43
44 init_exec(sysadm_t)
45 init_exec_script_files(sysadm_t)
46 init_dbus_chat(sysadm_t)
47 init_script_role_transition(sysadm_r)
48
49 miscfiles_filetrans_named_content(sysadm_t)
50 miscfiles_read_hwdata(sysadm_t)
51
52 sysnet_filetrans_named_content(sysadm_t)
53
54 # Add/remove user home directories
55 userdom_manage_user_home_dirs(sysadm_t)
56 userdom_home_filetrans_user_home_dir(sysadm_t)
57 userdom_manage_tmp_role(sysadm_r, sysadm_t)
58
59 optional_policy(`
60 alsa_filetrans_named_content(sysadm_t)
61 ')
62
63 optional_policy(`
64 ssh_filetrans_admin_home_content(sysadm_t)
65 ')
66
67 ifdef(`direct_sysadm_daemon',`
68 optional_policy(`
69 init_run_daemon(sysadm_t, sysadm_r)
70 ')
71 ',`
72 ifdef(`distro_gentoo',`
73 optional_policy(`
74 seutil_init_script_run_runinit(sysadm_t, sysadm_r)
75 ')
76 ')
77 ')
78
79 ifndef(`enable_mls',`
80 logging_manage_audit_log(sysadm_t)
81 logging_manage_audit_config(sysadm_t)
82 logging_run_auditctl(sysadm_t, sysadm_r)
83 logging_stream_connect_syslog(sysadm_t)
84 ')
85
86 tunable_policy(`deny_ptrace',`',`
87 domain_ptrace_all_domains(sysadm_t)
88 ')
89
90 optional_policy(`
91 amanda_run_recover(sysadm_t, sysadm_r)
92 ')
93
94 optional_policy(`
95 apache_run_helper(sysadm_t, sysadm_r)
96 apache_filetrans_home_content(sysadm_t)
97 #apache_run_all_scripts(sysadm_t, sysadm_r)
98 #apache_domtrans_sys_script(sysadm_t)
99 ')
100
101 optional_policy(`
102 # cjp: why is this not apm_run_client
103 apm_domtrans_client(sysadm_t)
104 ')
105
106 optional_policy(`
107 apt_run(sysadm_t, sysadm_r)
108 ')
109
110 optional_policy(`
111 auditadm_role_change(sysadm_r)
112 ')
113
114 optional_policy(`
115 backup_run(sysadm_t, sysadm_r)
116 ')
117
118 optional_policy(`
119 bind_run_ndc(sysadm_t, sysadm_r)
120 ')
121
122 optional_policy(`
123 bootloader_run(sysadm_t, sysadm_r)
124 ')
125
126 optional_policy(`
127 certmonger_dbus_chat(sysadm_t)
128 ')
129
130 optional_policy(`
131 certwatch_run(sysadm_t, sysadm_r)
132 ')
133
134 optional_policy(`
135 clock_run(sysadm_t, sysadm_r)
136 ')
137
138 optional_policy(`
139 clockspeed_run_cli(sysadm_t, sysadm_r)
140 ')
141
142 optional_policy(`
143 cron_admin_role(sysadm_r, sysadm_t)
144 #cron_role(sysadm_r, sysadm_t)
145 ')
146
147 optional_policy(`
148 consoletype_exec(sysadm_t)
149 ')
150
151 optional_policy(`
152 daemonstools_run_start(sysadm_t, sysadm_r)
153 ')
154
155 optional_policy(`
156 dbus_role_template(sysadm, sysadm_r, sysadm_t)
157 ')
158
159 optional_policy(`
160 dcc_run_cdcc(sysadm_t, sysadm_r)
161 dcc_run_client(sysadm_t, sysadm_r)
162 dcc_run_dbclean(sysadm_t, sysadm_r)
163 ')
164
165 optional_policy(`
166 ddcprobe_run(sysadm_t, sysadm_r)
167 ')
168
169 optional_policy(`
170 devicekit_filetrans_named_content(sysadm_t)
171 ')
172
173 optional_policy(`
174 dmesg_exec(sysadm_t)
175 ')
176
177 optional_policy(`
178 dmidecode_run(sysadm_t, sysadm_r)
179 ')
180
181 optional_policy(`
182 dpkg_run(sysadm_t, sysadm_r)
183 ')
184
185 optional_policy(`
186 firstboot_run(sysadm_t, sysadm_r)
187 ')
188
189 optional_policy(`
190 fstools_run(sysadm_t, sysadm_r)
191 ')
192
193 optional_policy(`
194 hostname_run(sysadm_t, sysadm_r)
195 ')
196
197 optional_policy(`
198 hadoop_role(sysadm_r, sysadm_t)
199 ')
200
201 optional_policy(`
202 # allow system administrator to use the ipsec script to look
203 # at things (e.g., ipsec auto --status)
204 # probably should create an ipsec_admin role for this kind of thing
205 ipsec_exec_mgmt(sysadm_t)
206 ipsec_stream_connect(sysadm_t)
207 # for lsof
208 ipsec_getattr_key_sockets(sysadm_t)
209 ipsec_run_setkey(sysadm_t, sysadm_r)
210 ipsec_run_racoon(sysadm_t, sysadm_r)
211 ipsec_stream_connect_racoon(sysadm_t)
212
213 optional_policy(`
214 ipsec_mgmt_dbus_chat(sysadm_t)
215 ')
216 ')
217
218 optional_policy(`
219 iptables_run(sysadm_t, sysadm_r)
220 ')
221
222 optional_policy(`
223 irc_role(sysadm_r, sysadm_t)
224 ')
225
226 optional_policy(`
227 kerberos_exec_kadmind(sysadm_t)
228 kerberos_filetrans_named_content(sysadm_t)
229 ')
230
231 optional_policy(`
232 kudzu_run(sysadm_t, sysadm_r)
233 ')
234
235 optional_policy(`
236 libs_run_ldconfig(sysadm_t, sysadm_r)
237 ')
238
239 optional_policy(`
240 logrotate_run(sysadm_t, sysadm_r)
241 ')
242
243 optional_policy(`
244 lpd_run_checkpc(sysadm_t, sysadm_r)
245 lpd_role(sysadm_r, sysadm_t)
246 ')
247
248 optional_policy(`
249 lvm_run(sysadm_t, sysadm_r)
250 ')
251
252 optional_policy(`
253 modutils_run_depmod(sysadm_t, sysadm_r)
254 modutils_run_insmod(sysadm_t, sysadm_r)
255 modutils_run_update_mods(sysadm_t, sysadm_r)
256 modutils_read_module_deps(sysadm_t)
257 modules_filetrans_named_content(sysadm_t)
258 ')
259
260 optional_policy(`
261 mount_run(sysadm_t, sysadm_r)
262 mount_run_showmount(sysadm_t, sysadm_r)
263 ')
264
265 optional_policy(`
266 mta_role(sysadm_r, sysadm_t)
267 # this is defined in userdom_common_user_template
268 #mta_filetrans_home_content(sysadm_t)
269 mta_filetrans_admin_home_content(sysadm_t)
270 ')
271
272 optional_policy(`
273 munin_stream_connect(sysadm_t)
274 ')
275
276 optional_policy(`
277 mysql_stream_connect(sysadm_t)
278 ')
279
280 optional_policy(`
281 ncftool_run(sysadm_t, sysadm_r)
282 ')
283
284 optional_policy(`
285 netutils_run(sysadm_t, sysadm_r)
286 netutils_run_ping(sysadm_t, sysadm_r)
287 netutils_run_traceroute(sysadm_t, sysadm_r)
288 ')
289
290 optional_policy(`
291 networkmanager_filetrans_named_content(sysadm_t)
292 ')
293
294 optional_policy(`
295 ntp_stub()
296 corenet_udp_bind_ntp_port(sysadm_t)
297 ')
298
299 optional_policy(`
300 nx_filetrans_named_content(sysadm_t)
301 ')
302
303 optional_policy(`
304 oav_run_update(sysadm_t, sysadm_r)
305 ')
306
307 optional_policy(`
308 openvpn_run(sysadm_t, sysadm_r)
309 ')
310
311 optional_policy(`
312 pcmcia_run_cardctl(sysadm_t, sysadm_r)
313 ')
314
315 optional_policy(`
316 polipo_role(sysadm_r, sysadm_t)
317 polipo_named_filetrans_admin_cache_home_dirs(sysadm_t)
318 polipo_named_filetrans_admin_config_home_files(sysadm_t)
319 ')
320
321 optional_policy(`
322 portage_run(sysadm_t, sysadm_r)
323 portage_run_gcc_config(sysadm_t, sysadm_r)
324 ')
325
326 optional_policy(`
327 portmap_run_helper(sysadm_t, sysadm_r)
328 ')
329
330 optional_policy(`
331 postfix_filetrans_named_content(sysadm_t)
332 ')
333
334 optional_policy(`
335 prelink_run(sysadm_t, sysadm_r)
336 ')
337
338 optional_policy(`
339 puppet_run_puppetca(sysadm_t, sysadm_r)
340 ')
341
342 optional_policy(`
343 quota_run(sysadm_t, sysadm_r)
344 ')
345
346 optional_policy(`
347 raid_domtrans_mdadm(sysadm_t)
348 ')
349
350 optional_policy(`
351 rpc_domtrans_nfsd(sysadm_t)
352 ')
353
354 optional_policy(`
355 rpm_run(sysadm_t, sysadm_r)
356 rpm_dbus_chat(sysadm_t, sysadm_r)
357 ')
358
359 optional_policy(`
360 rsync_exec(sysadm_t)
361 ')
362
363 optional_policy(`
364 samba_run_net(sysadm_t, sysadm_r)
365 samba_run_winbind_helper(sysadm_t, sysadm_r)
366 ')
367
368 optional_policy(`
369 samhain_admin(sysadm_t)
370 ')
371
372 optional_policy(`
373 screen_role_template(sysadm, sysadm_r, sysadm_t)
374 ')
375
376 optional_policy(`
377 secadm_role_change(sysadm_r)
378 ')
379
380 optional_policy(`
381 setroubleshoot_stream_connect(sysadm_t)
382 setroubleshoot_dbus_chat(sysadm_t)
383 setroubleshoot_dbus_chat_fixit(sysadm_t)
384 ')
385
386 optional_policy(`
387 seutil_run_setfiles(sysadm_t, sysadm_r)
388 seutil_run_runinit(sysadm_t, sysadm_r)
389 ')
390
391 optional_policy(`
392 shutdown_run(sysadm_t, sysadm_r)
393 ')
394
395 optional_policy(`
396 ssh_role_template(sysadm, sysadm_r, sysadm_t)
397 ')
398
399 optional_policy(`
400 staff_role_change(sysadm_r)
401 ')
402
403 optional_policy(`
404 su_role_template(sysadm, sysadm_r, sysadm_t)
405 ')
406
407 optional_policy(`
408 sudo_role_template(sysadm, sysadm_r, sysadm_t)
409 ')
410
411 optional_policy(`
412 sysnet_run_ifconfig(sysadm_t, sysadm_r)
413 sysnet_run_dhcpc(sysadm_t, sysadm_r)
414 ')
415
416 optional_policy(`
417 systemd_passwd_agent_run(sysadm_t, sysadm_r)
418 systemd_config_all_services(sysadm_t)
419 systemd_manage_all_unit_files(sysadm_t)
420 systemd_manage_all_unit_lnk_files(sysadm_t)
421 ')
422
423 optional_policy(`
424 tripwire_run_siggen(sysadm_t, sysadm_r)
425 tripwire_run_tripwire(sysadm_t, sysadm_r)
426 tripwire_run_twadmin(sysadm_t, sysadm_r)
427 tripwire_run_twprint(sysadm_t, sysadm_r)
428 ')
429
430 optional_policy(`
431 tzdata_domtrans(sysadm_t)
432 ')
433
434 optional_policy(`
435 unconfined_domtrans(sysadm_t)
436 ')
437
438 optional_policy(`
439 udev_run(sysadm_t, sysadm_r)
440 ')
441
442 optional_policy(`
443 unprivuser_role_change(sysadm_r)
444 ')
445
446 optional_policy(`
447 usbmodules_run(sysadm_t, sysadm_r)
448 ')
449
450 optional_policy(`
451 usermanage_run_admin_passwd(sysadm_t, sysadm_r)
452 usermanage_run_groupadd(sysadm_t, sysadm_r)
453 usermanage_run_useradd(sysadm_t, sysadm_r)
454 ')
455
456 optional_policy(`
457 virt_stream_connect(sysadm_t)
458 virt_filetrans_home_content(sysadm_t)
459 ')
460
461 optional_policy(`
462 vlock_run(sysadm_t, sysadm_r)
463 ')
464
465 optional_policy(`
466 vpn_run(sysadm_t, sysadm_r)
467 ')
468
469 optional_policy(`
470 webalizer_run(sysadm_t, sysadm_r)
471 ')
472
473 optional_policy(`
474 xserver_role(sysadm_r, sysadm_t)
475 ')
476
477 optional_policy(`
478 yam_run(sysadm_t, sysadm_r)
479 ')
480
481 optional_policy(`
482 zebra_stream_connect(sysadm_t)
483 ')
484
485 ifndef(`distro_redhat',`
486 optional_policy(`
487 apache_role(sysadm_r, sysadm_t)
488 ')
489 optional_policy(`
490 auth_role(sysadm_r, sysadm_t)
491 ')
492
493 optional_policy(`
494 bluetooth_role(sysadm_r, sysadm_t)
495 ')
496
497 optional_policy(`
498 cdrecord_role(sysadm_r, sysadm_t)
499 ')
500
501 optional_policy(`
502 dbus_role_template(sysadm, sysadm_r, sysadm_t)
503 ')
504
505 optional_policy(`
506 gnome_role(sysadm_r, sysadm_t)
507 gnome_filetrans_admin_home_content(sysadm_t)
508 ')
509
510 optional_policy(`
511 gpg_role(sysadm_r, sysadm_t)
512 ')
513
514 optional_policy(`
515 java_role(sysadm_r, sysadm_t)
516 ')
517
518 optional_policy(`
519 lockdev_role(sysadm_r, sysadm_t)
520 ')
521
522 optional_policy(`
523 mock_admin(sysadm_t)
524 ')
525
526 optional_policy(`
527 mplayer_role(sysadm_r, sysadm_t)
528 ')
529
530 optional_policy(`
531 pyzor_role(sysadm_r, sysadm_t)
532 ')
533
534 optional_policy(`
535 razor_role(sysadm_r, sysadm_t)
536 ')
537
538 optional_policy(`
539 rssh_role(sysadm_r, sysadm_t)
540 ')
541
542 optional_policy(`
543 spamassassin_role(sysadm_r, sysadm_t)
544 ')
545
546 optional_policy(`
547 tvtime_role(sysadm_r, sysadm_t)
548 ')
549
550 optional_policy(`
551 uml_role(sysadm_r, sysadm_t)
552 ')
553
554 optional_policy(`
555 userhelper_role_template(sysadm, sysadm_r, sysadm_t)
556 ')
557
558 optional_policy(`
559 vmware_role(sysadm_r, sysadm_t)
560 ')
561
562 optional_policy(`
563 wireshark_role(sysadm_r, sysadm_t)
564 ')
565
566 optional_policy(`
567 xserver_role(sysadm_r, sysadm_t)
568 ')
569 ')
The IPFire selinux policy.