548 lines
11 KiB
Plaintext
548 lines
11 KiB
Plaintext
|
## <summary>General system administration role</summary>
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Change to the generic user role.
|
||
|
## </summary>
|
||
|
## <param name="prefix">
|
||
|
## <summary>
|
||
|
## The prefix of the user role (e.g., user
|
||
|
## is the prefix for user_r).
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
## <rolecap/>
|
||
|
#
|
||
|
template(`sysadm_role_change_template',`
|
||
|
userdom_role_change_template($1, sysadm)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Change from the generic user role.
|
||
|
## </summary>
|
||
|
## <desc>
|
||
|
## <p>
|
||
|
## Change from the generic user role to
|
||
|
## the specified role.
|
||
|
## </p>
|
||
|
## <p>
|
||
|
## This is a template to support third party modules
|
||
|
## and its use is not allowed in upstream reference
|
||
|
## policy.
|
||
|
## </p>
|
||
|
## </desc>
|
||
|
## <param name="prefix">
|
||
|
## <summary>
|
||
|
## The prefix of the user role (e.g., user
|
||
|
## is the prefix for user_r).
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
## <rolecap/>
|
||
|
#
|
||
|
template(`sysadm_role_change_to_template',`
|
||
|
userdom_role_change_template(sysadm, $1)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Execute a shell in the sysadm domain.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`sysadm_shell_domtrans',`
|
||
|
gen_require(`
|
||
|
type sysadm_t;
|
||
|
')
|
||
|
|
||
|
corecmd_shell_domtrans($1, sysadm_t)
|
||
|
allow sysadm_t $1:fd use;
|
||
|
allow sysadm_t $1:fifo_file rw_file_perms;
|
||
|
allow sysadm_t $1:process sigchld;
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Execute a generic bin program in the sysadm domain.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`sysadm_bin_spec_domtrans',`
|
||
|
gen_require(`
|
||
|
type sysadm_t;
|
||
|
')
|
||
|
|
||
|
corecmd_bin_spec_domtrans($1, sysadm_t)
|
||
|
allow sysadm_t $1:fd use;
|
||
|
allow sysadm_t $1:fifo_file rw_file_perms;
|
||
|
allow sysadm_t $1:process sigchld;
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Execute all entrypoint files in the sysadm domain. This
|
||
|
## is an explicit transition, requiring the
|
||
|
## caller to use setexeccon().
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`sysadm_entry_spec_domtrans',`
|
||
|
gen_require(`
|
||
|
type sysadm_t;
|
||
|
')
|
||
|
|
||
|
domain_entry_file_spec_domtrans($1, sysadm_t)
|
||
|
allow sysadm_t $1:fd use;
|
||
|
allow sysadm_t $1:fifo_file rw_file_perms;
|
||
|
allow sysadm_t $1:process sigchld;
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Allow sysadm to execute a generic bin program in
|
||
|
## a specified domain. This is an explicit transition,
|
||
|
## requiring the caller to use setexeccon().
|
||
|
## </summary>
|
||
|
## <desc>
|
||
|
## <p>
|
||
|
## Allow sysadm to execute a generic bin program in
|
||
|
## a specified domain.
|
||
|
## </p>
|
||
|
## <p>
|
||
|
## This is a interface to support third party modules
|
||
|
## and its use is not allowed in upstream reference
|
||
|
## policy.
|
||
|
## </p>
|
||
|
## </desc>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain to execute in.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`sysadm_bin_spec_domtrans_to',`
|
||
|
gen_require(`
|
||
|
type sysadm_t;
|
||
|
')
|
||
|
|
||
|
corecmd_bin_spec_domtrans(sysadm_t, $1)
|
||
|
allow $1 sysadm_t:fd use;
|
||
|
allow $1 sysadm_t:fifo_file rw_file_perms;
|
||
|
allow $1 sysadm_t:process sigchld;
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Send a SIGCHLD signal to sysadm users.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`sysadm_sigchld',`
|
||
|
gen_require(`
|
||
|
type sysadm_t;
|
||
|
')
|
||
|
|
||
|
allow $1 sysadm_t:process sigchld;
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Inherit and use sysadm file descriptors
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`sysadm_use_fds',`
|
||
|
gen_require(`
|
||
|
type sysadm_t;
|
||
|
')
|
||
|
|
||
|
allow $1 sysadm_t:fd use;
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Read and write sysadm user unnamed pipes.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`sysadm_rw_pipes',`
|
||
|
gen_require(`
|
||
|
type sysadm_t;
|
||
|
')
|
||
|
|
||
|
allow $1 sysadm_t:fifo_file rw_fifo_file_perms;
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Do not audit attepts to get the attributes
|
||
|
## of sysadm ttys.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`sysadm_dontaudit_getattr_ttys',`
|
||
|
gen_require(`
|
||
|
type sysadm_tty_device_t;
|
||
|
')
|
||
|
|
||
|
dontaudit $1 sysadm_tty_device_t:chr_file getattr;
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Read and write sysadm ttys.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`sysadm_use_ttys',`
|
||
|
gen_require(`
|
||
|
type sysadm_tty_device_t;
|
||
|
')
|
||
|
|
||
|
dev_list_all_dev_nodes($1)
|
||
|
term_list_ptys($1)
|
||
|
allow $1 sysadm_tty_device_t:chr_file rw_term_perms;
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Do not audit attempts to use sysadm ttys.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain to not audit.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`sysadm_dontaudit_use_ttys',`
|
||
|
gen_require(`
|
||
|
type sysadm_tty_device_t;
|
||
|
')
|
||
|
|
||
|
dontaudit $1 sysadm_tty_device_t:chr_file { read write };
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Read and write sysadm ptys.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`sysadm_use_ptys',`
|
||
|
gen_require(`
|
||
|
type sysadm_devpts_t;
|
||
|
')
|
||
|
|
||
|
dev_list_all_dev_nodes($1)
|
||
|
term_list_ptys($1)
|
||
|
allow $1 sysadm_devpts_t:chr_file rw_term_perms;
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Dont audit attempts to read and write sysadm ptys.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain to not audit.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`sysadm_dontaudit_use_ptys',`
|
||
|
gen_require(`
|
||
|
type sysadm_devpts_t;
|
||
|
')
|
||
|
|
||
|
dontaudit $1 sysadm_devpts_t:chr_file { read write };
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Read and write sysadm ttys and ptys.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`sysadm_use_terms',`
|
||
|
sysadm_use_ttys($1)
|
||
|
sysadm_use_ptys($1)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Do not audit attempts to use sysadm ttys and ptys.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain to not audit.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`sysadm_dontaudit_use_terms',`
|
||
|
sysadm_dontaudit_use_ttys($1)
|
||
|
sysadm_dontaudit_use_ptys($1)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Get the attributes of the sysadm users
|
||
|
## home directory.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`sysadm_getattr_home_dirs',`
|
||
|
gen_require(`
|
||
|
type sysadm_home_dir_t;
|
||
|
')
|
||
|
|
||
|
allow $1 sysadm_home_dir_t:dir getattr;
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Do not audit attempts to get the
|
||
|
## attributes of the sysadm users
|
||
|
## home directory.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain to not audit.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`sysadm_dontaudit_getattr_home_dirs',`
|
||
|
gen_require(`
|
||
|
type sysadm_home_dir_t;
|
||
|
')
|
||
|
|
||
|
dontaudit $1 sysadm_home_dir_t:dir getattr;
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Search the sysadm users home directory.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain to not audit.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`sysadm_search_home_dirs',`
|
||
|
gen_require(`
|
||
|
type sysadm_home_dir_t;
|
||
|
')
|
||
|
|
||
|
allow $1 sysadm_home_dir_t:dir search_dir_perms;
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Do not audit attempts to search the sysadm
|
||
|
## users home directory.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain to not audit.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`sysadm_dontaudit_search_home_dirs',`
|
||
|
gen_require(`
|
||
|
type sysadm_home_dir_t;
|
||
|
')
|
||
|
|
||
|
dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## List the sysadm users home directory.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`sysadm_list_home_dirs',`
|
||
|
gen_require(`
|
||
|
type sysadm_home_dir_t;
|
||
|
')
|
||
|
|
||
|
allow $1 sysadm_home_dir_t:dir list_dir_perms;
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Do not audit attempts to list the sysadm
|
||
|
## users home directory.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain to not audit.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`sysadm_dontaudit_list_home_dirs',`
|
||
|
gen_require(`
|
||
|
type sysadm_home_dir_t;
|
||
|
')
|
||
|
|
||
|
dontaudit $1 sysadm_home_dir_t:dir list_dir_perms;
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Create objects in sysadm home directories
|
||
|
## with automatic file type transition.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
## <param name="private type">
|
||
|
## <summary>
|
||
|
## The type of the object to be created.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
## <param name="object_class">
|
||
|
## <summary>
|
||
|
## The class of the object to be created.
|
||
|
## If not specified, file is used.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`sysadm_home_dir_filetrans',`
|
||
|
gen_require(`
|
||
|
type sysadm_home_dir_t;
|
||
|
')
|
||
|
|
||
|
filetrans_pattern($1, sysadm_home_dir_t, $2, $3)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Search the sysadm users home sub directories.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain to not audit.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`sysadm_search_home_content_dirs',`
|
||
|
gen_require(`
|
||
|
type sysadm_home_dir_t, sysadm_home_t;
|
||
|
')
|
||
|
|
||
|
allow $1 { sysadm_home_dir_t sysadm_home_t }:dir search_dir_perms;
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Read files in the sysadm home directory.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`sysadm_read_home_content_files',`
|
||
|
gen_require(`
|
||
|
type sysadm_home_dir_t, sysadm_home_t;
|
||
|
')
|
||
|
|
||
|
files_search_home($1)
|
||
|
allow $1 { sysadm_home_dir_t sysadm_home_t }:dir list_dir_perms;
|
||
|
read_files_pattern($1, { sysadm_home_dir_t sysadm_home_t }, sysadm_home_t)
|
||
|
read_lnk_files_pattern($1, { sysadm_home_dir_t sysadm_home_t }, sysadm_home_t)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Do not audit attempts to read files in the sysadm
|
||
|
## home directory.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain to not audit.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`sysadm_dontaudit_read_home_content_files',`
|
||
|
gen_require(`
|
||
|
type sysadm_home_dir_t, sysadm_home_t;
|
||
|
')
|
||
|
|
||
|
dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
|
||
|
dontaudit $1 sysadm_home_t:dir search_dir_perms;
|
||
|
dontaudit $1 sysadm_home_t:file read_file_perms;
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Read sysadm temporary files.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`sysadm_read_tmp_files',`
|
||
|
gen_require(`
|
||
|
type sysadm_tmp_t;
|
||
|
')
|
||
|
|
||
|
files_search_tmp($1)
|
||
|
allow $1 sysadm_tmp_t:dir list_dir_perms;
|
||
|
read_files_pattern($1, sysadm_tmp_t, sysadm_tmp_t)
|
||
|
read_lnk_files_pattern($1, sysadm_tmp_t, sysadm_tmp_t)
|
||
|
')
|
||
|
|