selinux-policy/policy/modules/roles/sysadm.if

## <summary>General system administration role</summary>

########################################
## <summary>
##	Change to the generic user role.
## </summary>
## <param name="prefix">
##	<summary>
##	The prefix of the user role (e.g., user
##	is the prefix for user_r).
##	</summary>
## </param>
## <rolecap/>
#
template(`sysadm_role_change_template',`
	userdom_role_change_template($1, sysadm)
')

########################################
## <summary>
##	Change from the generic user role.
## </summary>
## <desc>
##	<p>
##	Change from the generic user role to
##	the specified role.
##	</p>
##	<p>
##	This is a template to support third party modules
##	and its use is not allowed in upstream reference
##	policy.
##	</p>
## </desc>
## <param name="prefix">
##	<summary>
##	The prefix of the user role (e.g., user
##	is the prefix for user_r).
##	</summary>
## </param>
## <rolecap/>
#
template(`sysadm_role_change_to_template',`
	userdom_role_change_template(sysadm, $1)
')

########################################
## <summary>
##	Execute a shell in the sysadm domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`sysadm_shell_domtrans',`
	gen_require(`
		type sysadm_t;
	')

	corecmd_shell_domtrans($1, sysadm_t)
	allow sysadm_t $1:fd use;
	allow sysadm_t $1:fifo_file rw_file_perms;
	allow sysadm_t $1:process sigchld;
')

########################################
## <summary>
##	Execute a generic bin program in the sysadm domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`sysadm_bin_spec_domtrans',`
	gen_require(`
		type sysadm_t;
	')

	corecmd_bin_spec_domtrans($1, sysadm_t)
	allow sysadm_t $1:fd use;
	allow sysadm_t $1:fifo_file rw_file_perms;
	allow sysadm_t $1:process sigchld;
')

########################################
## <summary>
##	Execute all entrypoint files in the sysadm domain. This
##	is an explicit transition, requiring the
##	caller to use setexeccon().
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`sysadm_entry_spec_domtrans',`
	gen_require(`
		type sysadm_t;
	')

	domain_entry_file_spec_domtrans($1, sysadm_t)
	allow sysadm_t $1:fd use;
	allow sysadm_t $1:fifo_file rw_file_perms;
	allow sysadm_t $1:process sigchld;
')

########################################
## <summary>
##	Allow sysadm to execute a generic bin program in
##	a specified domain.  This is an explicit transition,
##	requiring the caller to use setexeccon().
## </summary>
## <desc>
##	<p>
##	Allow sysadm to execute a generic bin program in
##	a specified domain.
##	</p>
##	<p>
##	This is a interface to support third party modules
##	and its use is not allowed in upstream reference
##	policy.
##	</p>
## </desc>
## <param name="domain">
##	<summary>
##	Domain to execute in.
##	</summary>
## </param>
#
interface(`sysadm_bin_spec_domtrans_to',`
	gen_require(`
		type sysadm_t;
	')

	corecmd_bin_spec_domtrans(sysadm_t, $1)
	allow $1 sysadm_t:fd use;
	allow $1 sysadm_t:fifo_file rw_file_perms;
	allow $1 sysadm_t:process sigchld;
')

########################################
## <summary>
##	Send a SIGCHLD signal to sysadm users.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`sysadm_sigchld',`
	gen_require(`
		type sysadm_t;
	')

	allow $1 sysadm_t:process sigchld;
')

########################################
## <summary>
##	Inherit and use sysadm file descriptors
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`sysadm_use_fds',`
	gen_require(`
		type sysadm_t;
	')

	allow $1 sysadm_t:fd use;
')

########################################
## <summary>
##	Read and write sysadm user unnamed pipes.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`sysadm_rw_pipes',`
	gen_require(`
		type sysadm_t;
	')

	allow $1 sysadm_t:fifo_file rw_fifo_file_perms;
')

########################################
## <summary>
##	Do not audit attepts to get the attributes
##	of sysadm ttys.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`sysadm_dontaudit_getattr_ttys',`
	gen_require(`
		type sysadm_tty_device_t;
	')

	dontaudit $1 sysadm_tty_device_t:chr_file getattr;
')

########################################
## <summary>
##	Read and write sysadm ttys.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`sysadm_use_ttys',`
	gen_require(`
		type sysadm_tty_device_t;
	')

	dev_list_all_dev_nodes($1)
	term_list_ptys($1)
	allow $1 sysadm_tty_device_t:chr_file rw_term_perms;
')

########################################
## <summary>
##	Do not audit attempts to use sysadm ttys.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`sysadm_dontaudit_use_ttys',`
	gen_require(`
		type sysadm_tty_device_t;
	')

	dontaudit $1 sysadm_tty_device_t:chr_file { read write };
')

########################################
## <summary>
##	Read and write sysadm ptys.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`sysadm_use_ptys',`
	gen_require(`
		type sysadm_devpts_t;
	')

	dev_list_all_dev_nodes($1)
	term_list_ptys($1)
	allow $1 sysadm_devpts_t:chr_file rw_term_perms;
')

########################################
## <summary>
##	Dont audit attempts to read and write sysadm ptys.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`sysadm_dontaudit_use_ptys',`
	gen_require(`
		type sysadm_devpts_t;
	')

	dontaudit $1 sysadm_devpts_t:chr_file { read write };
')

########################################
## <summary>
##	Read and write sysadm ttys and ptys.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`sysadm_use_terms',`
	sysadm_use_ttys($1)
	sysadm_use_ptys($1)
')

########################################
## <summary>
##	Do not audit attempts to use sysadm ttys and ptys.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`sysadm_dontaudit_use_terms',`
	sysadm_dontaudit_use_ttys($1)
	sysadm_dontaudit_use_ptys($1)
')

########################################
## <summary>
##	Get the attributes of the sysadm users
##	home directory.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`sysadm_getattr_home_dirs',`
	gen_require(`
		type sysadm_home_dir_t;
	')

	allow $1 sysadm_home_dir_t:dir getattr;
')

########################################
## <summary>
##	Do not audit attempts to get the
##	attributes of the sysadm users
##	home directory.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`sysadm_dontaudit_getattr_home_dirs',`
	gen_require(`
		type sysadm_home_dir_t;
	')

	dontaudit $1 sysadm_home_dir_t:dir getattr;
')

########################################
## <summary>
##	Search the sysadm users home directory.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`sysadm_search_home_dirs',`
	gen_require(`
		type sysadm_home_dir_t;
	')

	allow $1 sysadm_home_dir_t:dir search_dir_perms;
')

########################################
## <summary>
##	Do not audit attempts to search the sysadm
##	users home directory.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`sysadm_dontaudit_search_home_dirs',`
	gen_require(`
		type sysadm_home_dir_t;
	')

	dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
')

########################################
## <summary>
##	List the sysadm users home directory.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`sysadm_list_home_dirs',`
	gen_require(`
		type sysadm_home_dir_t;
	')

	allow $1 sysadm_home_dir_t:dir list_dir_perms;
')

########################################
## <summary>
##	Do not audit attempts to list the sysadm
##	users home directory.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`sysadm_dontaudit_list_home_dirs',`
	gen_require(`
		type sysadm_home_dir_t;
	')

	dontaudit $1 sysadm_home_dir_t:dir list_dir_perms;
')

########################################
## <summary>
##	Create objects in sysadm home directories
##	with automatic file type transition.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="private type">
##	<summary>
##	The type of the object to be created.
##	</summary>
## </param>
## <param name="object_class">
##	<summary>
##	The class of the object to be created.
##	If not specified, file is used.
##	</summary>
## </param>
#
interface(`sysadm_home_dir_filetrans',`
	gen_require(`
		type sysadm_home_dir_t;
	')

	filetrans_pattern($1, sysadm_home_dir_t, $2, $3)
')

########################################
## <summary>
##	Search the sysadm users home sub directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`sysadm_search_home_content_dirs',`
	gen_require(`
		type sysadm_home_dir_t, sysadm_home_t;
	')

	allow $1 { sysadm_home_dir_t sysadm_home_t }:dir search_dir_perms;
')

########################################
## <summary>
##	Read files in the sysadm home directory.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`sysadm_read_home_content_files',`
	gen_require(`
		type sysadm_home_dir_t, sysadm_home_t;
	')

	files_search_home($1)
	allow $1 { sysadm_home_dir_t sysadm_home_t }:dir list_dir_perms;
	read_files_pattern($1, { sysadm_home_dir_t sysadm_home_t }, sysadm_home_t)
	read_lnk_files_pattern($1, { sysadm_home_dir_t sysadm_home_t }, sysadm_home_t)
')

########################################
## <summary>
##	Do not audit attempts to read files in the sysadm
##	home directory.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`sysadm_dontaudit_read_home_content_files',`
	gen_require(`
		type sysadm_home_dir_t, sysadm_home_t;
	')

	dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
	dontaudit $1 sysadm_home_t:dir search_dir_perms;
	dontaudit $1 sysadm_home_t:file read_file_perms;
')

########################################
## <summary>
##	Read sysadm temporary files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`sysadm_read_tmp_files',`
	gen_require(`
		type sysadm_tmp_t;
	')

	files_search_tmp($1)
	allow $1 sysadm_tmp_t:dir list_dir_perms;
	read_files_pattern($1, sysadm_tmp_t, sysadm_tmp_t)
	read_lnk_files_pattern($1, sysadm_tmp_t, sysadm_tmp_t)
')
trunk: Move user roles into individual modules. 2008-04-29 13:58:34 +00:00			`## <summary>General system administration role</summary>`

			`########################################`
			`## <summary>`
			`## Change to the generic user role.`
			`## </summary>`
			`## <param name="prefix">`
			`## <summary>`
			`## The prefix of the user role (e.g., user`
			`## is the prefix for user_r).`
			`## </summary>`
			`## </param>`
			`## <rolecap/>`
			`#`
			template(`sysadm_role_change_template',`
			`userdom_role_change_template($1, sysadm)`
			`')`

			`########################################`
			`## <summary>`
			`## Change from the generic user role.`
			`## </summary>`
			`## <desc>`
			`## <p>`
			`## Change from the generic user role to`
			`## the specified role.`
			`## </p>`
			`## <p>`
			`## This is a template to support third party modules`
			`## and its use is not allowed in upstream reference`
			`## policy.`
			`## </p>`
			`## </desc>`
			`## <param name="prefix">`
			`## <summary>`
			`## The prefix of the user role (e.g., user`
			`## is the prefix for user_r).`
			`## </summary>`
			`## </param>`
			`## <rolecap/>`
			`#`
			template(`sysadm_role_change_to_template',`
			`userdom_role_change_template(sysadm, $1)`
			`')`

			`########################################`
			`## <summary>`
			`## Execute a shell in the sysadm domain.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`sysadm_shell_domtrans',`
			gen_require(`
			`type sysadm_t;`
			`')`

			`corecmd_shell_domtrans($1, sysadm_t)`
			`allow sysadm_t $1:fd use;`
			`allow sysadm_t $1:fifo_file rw_file_perms;`
			`allow sysadm_t $1:process sigchld;`
			`')`

			`########################################`
			`## <summary>`
			`## Execute a generic bin program in the sysadm domain.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`sysadm_bin_spec_domtrans',`
			gen_require(`
			`type sysadm_t;`
			`')`

			`corecmd_bin_spec_domtrans($1, sysadm_t)`
			`allow sysadm_t $1:fd use;`
			`allow sysadm_t $1:fifo_file rw_file_perms;`
			`allow sysadm_t $1:process sigchld;`
			`')`

			`########################################`
			`## <summary>`
			`## Execute all entrypoint files in the sysadm domain. This`
			`## is an explicit transition, requiring the`
			`## caller to use setexeccon().`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`sysadm_entry_spec_domtrans',`
			gen_require(`
			`type sysadm_t;`
			`')`

			`domain_entry_file_spec_domtrans($1, sysadm_t)`
			`allow sysadm_t $1:fd use;`
			`allow sysadm_t $1:fifo_file rw_file_perms;`
			`allow sysadm_t $1:process sigchld;`
			`')`

			`########################################`
			`## <summary>`
			`## Allow sysadm to execute a generic bin program in`
			`## a specified domain. This is an explicit transition,`
			`## requiring the caller to use setexeccon().`
			`## </summary>`
			`## <desc>`
			`## <p>`
			`## Allow sysadm to execute a generic bin program in`
			`## a specified domain.`
			`## </p>`
			`## <p>`
			`## This is a interface to support third party modules`
			`## and its use is not allowed in upstream reference`
			`## policy.`
			`## </p>`
			`## </desc>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain to execute in.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`sysadm_bin_spec_domtrans_to',`
			gen_require(`
			`type sysadm_t;`
			`')`

			`corecmd_bin_spec_domtrans(sysadm_t, $1)`
			`allow $1 sysadm_t:fd use;`
			`allow $1 sysadm_t:fifo_file rw_file_perms;`
			`allow $1 sysadm_t:process sigchld;`
			`')`

			`########################################`
			`## <summary>`
			`## Send a SIGCHLD signal to sysadm users.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`sysadm_sigchld',`
			gen_require(`
			`type sysadm_t;`
			`')`

			`allow $1 sysadm_t:process sigchld;`
			`')`

			`########################################`
			`## <summary>`
			`## Inherit and use sysadm file descriptors`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`sysadm_use_fds',`
			gen_require(`
			`type sysadm_t;`
			`')`

			`allow $1 sysadm_t:fd use;`
			`')`

			`########################################`
			`## <summary>`
			`## Read and write sysadm user unnamed pipes.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`sysadm_rw_pipes',`
			gen_require(`
			`type sysadm_t;`
			`')`

			`allow $1 sysadm_t:fifo_file rw_fifo_file_perms;`
			`')`

			`########################################`
			`## <summary>`
			`## Do not audit attepts to get the attributes`
			`## of sysadm ttys.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`sysadm_dontaudit_getattr_ttys',`
			gen_require(`
			`type sysadm_tty_device_t;`
			`')`

			`dontaudit $1 sysadm_tty_device_t:chr_file getattr;`
			`')`

			`########################################`
			`## <summary>`
			`## Read and write sysadm ttys.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`sysadm_use_ttys',`
			gen_require(`
			`type sysadm_tty_device_t;`
			`')`

			`dev_list_all_dev_nodes($1)`
			`term_list_ptys($1)`
			`allow $1 sysadm_tty_device_t:chr_file rw_term_perms;`
			`')`

			`########################################`
			`## <summary>`
			`## Do not audit attempts to use sysadm ttys.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain to not audit.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`sysadm_dontaudit_use_ttys',`
			gen_require(`
			`type sysadm_tty_device_t;`
			`')`

			`dontaudit $1 sysadm_tty_device_t:chr_file { read write };`
			`')`

			`########################################`
			`## <summary>`
			`## Read and write sysadm ptys.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`sysadm_use_ptys',`
			gen_require(`
			`type sysadm_devpts_t;`
			`')`

			`dev_list_all_dev_nodes($1)`
			`term_list_ptys($1)`
			`allow $1 sysadm_devpts_t:chr_file rw_term_perms;`
			`')`

			`########################################`
			`## <summary>`
			`## Dont audit attempts to read and write sysadm ptys.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain to not audit.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`sysadm_dontaudit_use_ptys',`
			gen_require(`
			`type sysadm_devpts_t;`
			`')`

			`dontaudit $1 sysadm_devpts_t:chr_file { read write };`
			`')`

			`########################################`
			`## <summary>`
			`## Read and write sysadm ttys and ptys.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`sysadm_use_terms',`
			`sysadm_use_ttys($1)`
			`sysadm_use_ptys($1)`
			`')`

			`########################################`
			`## <summary>`
			`## Do not audit attempts to use sysadm ttys and ptys.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain to not audit.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`sysadm_dontaudit_use_terms',`
			`sysadm_dontaudit_use_ttys($1)`
			`sysadm_dontaudit_use_ptys($1)`
			`')`

			`########################################`
			`## <summary>`
			`## Get the attributes of the sysadm users`
			`## home directory.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`sysadm_getattr_home_dirs',`
			gen_require(`
			`type sysadm_home_dir_t;`
			`')`

			`allow $1 sysadm_home_dir_t:dir getattr;`
			`')`

			`########################################`
			`## <summary>`
			`## Do not audit attempts to get the`
			`## attributes of the sysadm users`
			`## home directory.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain to not audit.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`sysadm_dontaudit_getattr_home_dirs',`
			gen_require(`
			`type sysadm_home_dir_t;`
			`')`

			`dontaudit $1 sysadm_home_dir_t:dir getattr;`
			`')`

			`########################################`
			`## <summary>`
			`## Search the sysadm users home directory.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain to not audit.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`sysadm_search_home_dirs',`
			gen_require(`
			`type sysadm_home_dir_t;`
			`')`

			`allow $1 sysadm_home_dir_t:dir search_dir_perms;`
			`')`

			`########################################`
			`## <summary>`
			`## Do not audit attempts to search the sysadm`
			`## users home directory.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain to not audit.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`sysadm_dontaudit_search_home_dirs',`
			gen_require(`
			`type sysadm_home_dir_t;`
			`')`

			`dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;`
			`')`

			`########################################`
			`## <summary>`
			`## List the sysadm users home directory.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`sysadm_list_home_dirs',`
			gen_require(`
			`type sysadm_home_dir_t;`
			`')`

			`allow $1 sysadm_home_dir_t:dir list_dir_perms;`
			`')`

			`########################################`
			`## <summary>`
			`## Do not audit attempts to list the sysadm`
			`## users home directory.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain to not audit.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`sysadm_dontaudit_list_home_dirs',`
			gen_require(`
			`type sysadm_home_dir_t;`
			`')`

			`dontaudit $1 sysadm_home_dir_t:dir list_dir_perms;`
			`')`

			`########################################`
			`## <summary>`
			`## Create objects in sysadm home directories`
			`## with automatic file type transition.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`## <param name="private type">`
			`## <summary>`
			`## The type of the object to be created.`
			`## </summary>`
			`## </param>`
			`## <param name="object_class">`
			`## <summary>`
			`## The class of the object to be created.`
			`## If not specified, file is used.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`sysadm_home_dir_filetrans',`
			gen_require(`
			`type sysadm_home_dir_t;`
			`')`

			`filetrans_pattern($1, sysadm_home_dir_t, $2, $3)`
			`')`

			`########################################`
			`## <summary>`
			`## Search the sysadm users home sub directories.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain to not audit.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`sysadm_search_home_content_dirs',`
			gen_require(`
			`type sysadm_home_dir_t, sysadm_home_t;`
			`')`

			`allow $1 { sysadm_home_dir_t sysadm_home_t }:dir search_dir_perms;`
			`')`

			`########################################`
			`## <summary>`
			`## Read files in the sysadm home directory.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`sysadm_read_home_content_files',`
			gen_require(`
			`type sysadm_home_dir_t, sysadm_home_t;`
			`')`

			`files_search_home($1)`
			`allow $1 { sysadm_home_dir_t sysadm_home_t }:dir list_dir_perms;`
			`read_files_pattern($1, { sysadm_home_dir_t sysadm_home_t }, sysadm_home_t)`
			`read_lnk_files_pattern($1, { sysadm_home_dir_t sysadm_home_t }, sysadm_home_t)`
			`')`

			`########################################`
			`## <summary>`
			`## Do not audit attempts to read files in the sysadm`
			`## home directory.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain to not audit.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`sysadm_dontaudit_read_home_content_files',`
			gen_require(`
			`type sysadm_home_dir_t, sysadm_home_t;`
			`')`

			`dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;`
			`dontaudit $1 sysadm_home_t:dir search_dir_perms;`
			`dontaudit $1 sysadm_home_t:file read_file_perms;`
			`')`

			`########################################`
			`## <summary>`
			`## Read sysadm temporary files.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`sysadm_read_tmp_files',`
			gen_require(`
			`type sysadm_tmp_t;`
			`')`

			`files_search_tmp($1)`
			`allow $1 sysadm_tmp_t:dir list_dir_perms;`
			`read_files_pattern($1, sysadm_tmp_t, sysadm_tmp_t)`
			`read_lnk_files_pattern($1, sysadm_tmp_t, sysadm_tmp_t)`
			`')`