35 lines
1.1 KiB
Plaintext
35 lines
1.1 KiB
Plaintext
|
# Authors: Dan Walsh, Russell Coker
|
||
|
# Maintained by Dan Walsh <dwalsh@redhat.com>
|
||
|
define(`sudo_domain',`
|
||
|
newrole_domain($1_sudo, `, privuser')
|
||
|
|
||
|
# By default, revert to the calling domain when a shell is executed.
|
||
|
domain_auto_trans($1_sudo_t, shell_exec_t, $1_t)
|
||
|
|
||
|
ifdef(`mta.te', `
|
||
|
domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t)
|
||
|
allow $1_mail_t $1_sudo_t:fifo_file rw_file_perms;
|
||
|
')
|
||
|
|
||
|
allow $1_sudo_t self:capability sys_resource;
|
||
|
|
||
|
allow $1_sudo_t self:process setrlimit;
|
||
|
|
||
|
ifdef(`pam.te', `
|
||
|
allow $1_sudo_t pam_var_run_t:dir create_dir_perms;
|
||
|
allow $1_sudo_t pam_var_run_t:file create_file_perms;
|
||
|
')
|
||
|
|
||
|
allow $1_sudo_t initrc_var_run_t:file rw_file_perms;
|
||
|
allow $1_sudo_t sysctl_t:dir search;
|
||
|
allow $1_sudo_t { su_exec_t etc_t lib_t usr_t bin_t sbin_t exec_type } :file getattr;
|
||
|
allow $1_sudo_t { su_exec_t etc_t lib_t usr_t bin_t sbin_t exec_type } :lnk_file { getattr read };
|
||
|
read_sysctl($1_sudo_t)
|
||
|
|
||
|
allow $1_sudo_t var_run_t:dir search;
|
||
|
r_dir_file($1_sudo_t, default_context_t)
|
||
|
rw_dir_create_file($1_sudo_t, $1_tmp_t)
|
||
|
rw_dir_create_file($1_sudo_t, $1_home_t)
|
||
|
domain_auto_trans($1_t, sudo_exec_t, $1_sudo_t)
|
||
|
')
|