#DESC Su - Run shells with substitute user and group
#
# Domains for the su program.
# X-Debian-Packages: login

#
# su_exec_t is the type of the su executable.
#
type su_exec_t, file_type, sysadmfile;

allow sysadm_su_t user_home_dir_type:dir search;

# Everything else is in the su_domain macro in
# macros/program/su_macros.te.

ifdef(`use_mcs', `
ifdef(`targeted_policy', `
range_transition unconfined_t su_exec_t s0 - s0:c0.c255;
domain_auto_trans(unconfined_t, su_exec_t, sysadm_su_t)
# allow user to suspend terminal
allow sysadm_su_t unconfined_t:process signal;
allow sysadm_su_t self:process { signal sigstop };
can_exec(sysadm_su_t, bin_t)
rw_dir_create_file(sysadm_su_t, home_dir_type)
')
')