General system administration role

######################################## ##

## Change to the generic user role. ##

## ##

## The prefix of the user role (e.g., user ## is the prefix for user_r). ##

## ## # template(`sysadm_role_change_template',` userdom_role_change_template($1, sysadm) ') ######################################## ##

## Change from the generic user role. ##

## ##

## Change from the generic user role to ## the specified role. ##

## This is a template to support third party modules ## and its use is not allowed in upstream reference ## policy. ##

## ## ##

## The prefix of the user role (e.g., user ## is the prefix for user_r). ##

## ## # template(`sysadm_role_change_to_template',` userdom_role_change_template(sysadm, $1) ') ######################################## ##

## Execute a shell in the sysadm domain. ##

## ##

## Domain allowed access. ##

## # interface(`sysadm_shell_domtrans',` gen_require(` type sysadm_t; ') corecmd_shell_domtrans($1, sysadm_t) allow sysadm_t $1:fd use; allow sysadm_t $1:fifo_file rw_file_perms; allow sysadm_t $1:process sigchld; ') ######################################## ##

## Execute a generic bin program in the sysadm domain. ##

## ##

## Domain allowed access. ##

## # interface(`sysadm_bin_spec_domtrans',` gen_require(` type sysadm_t; ') corecmd_bin_spec_domtrans($1, sysadm_t) allow sysadm_t $1:fd use; allow sysadm_t $1:fifo_file rw_file_perms; allow sysadm_t $1:process sigchld; ') ######################################## ##

## Execute all entrypoint files in the sysadm domain. This ## is an explicit transition, requiring the ## caller to use setexeccon(). ##

## ##

## Domain allowed access. ##

## # interface(`sysadm_entry_spec_domtrans',` gen_require(` type sysadm_t; ') domain_entry_file_spec_domtrans($1, sysadm_t) allow sysadm_t $1:fd use; allow sysadm_t $1:fifo_file rw_file_perms; allow sysadm_t $1:process sigchld; ') ######################################## ##

## Allow sysadm to execute a generic bin program in ## a specified domain. This is an explicit transition, ## requiring the caller to use setexeccon(). ##

## ##

## Allow sysadm to execute a generic bin program in ## a specified domain. ##

## This is a interface to support third party modules ## and its use is not allowed in upstream reference ## policy. ##

## ## ##

## Domain to execute in. ##

## # interface(`sysadm_bin_spec_domtrans_to',` gen_require(` type sysadm_t; ') corecmd_bin_spec_domtrans(sysadm_t, $1) allow $1 sysadm_t:fd use; allow $1 sysadm_t:fifo_file rw_file_perms; allow $1 sysadm_t:process sigchld; ') ######################################## ##

## Send a SIGCHLD signal to sysadm users. ##

## ##

## Domain allowed access. ##

## # interface(`sysadm_sigchld',` gen_require(` type sysadm_t; ') allow $1 sysadm_t:process sigchld; ') ######################################## ##

## Inherit and use sysadm file descriptors ##

## ##

## Domain allowed access. ##

## # interface(`sysadm_use_fds',` gen_require(` type sysadm_t; ') allow $1 sysadm_t:fd use; ') ######################################## ##

## Read and write sysadm user unnamed pipes. ##

## ##

## Domain allowed access. ##

## # interface(`sysadm_rw_pipes',` gen_require(` type sysadm_t; ') allow $1 sysadm_t:fifo_file rw_fifo_file_perms; ') ######################################## ##

## Do not audit attepts to get the attributes ## of sysadm ttys. ##

## ##

## Domain allowed access. ##

## # interface(`sysadm_dontaudit_getattr_ttys',` gen_require(` type sysadm_tty_device_t; ') dontaudit $1 sysadm_tty_device_t:chr_file getattr; ') ######################################## ##

## Read and write sysadm ttys. ##

## ##

## Domain allowed access. ##

## # interface(`sysadm_use_ttys',` gen_require(` type sysadm_tty_device_t; ') dev_list_all_dev_nodes($1) term_list_ptys($1) allow $1 sysadm_tty_device_t:chr_file rw_term_perms; ') ######################################## ##

## Do not audit attempts to use sysadm ttys. ##

## ##

## Domain to not audit. ##

## # interface(`sysadm_dontaudit_use_ttys',` gen_require(` type sysadm_tty_device_t; ') dontaudit $1 sysadm_tty_device_t:chr_file { read write }; ') ######################################## ##

## Read and write sysadm ptys. ##

## ##

## Domain allowed access. ##

## # interface(`sysadm_use_ptys',` gen_require(` type sysadm_devpts_t; ') dev_list_all_dev_nodes($1) term_list_ptys($1) allow $1 sysadm_devpts_t:chr_file rw_term_perms; ') ######################################## ##

## Dont audit attempts to read and write sysadm ptys. ##

## ##

## Domain to not audit. ##

## # interface(`sysadm_dontaudit_use_ptys',` gen_require(` type sysadm_devpts_t; ') dontaudit $1 sysadm_devpts_t:chr_file { read write }; ') ######################################## ##

## Read and write sysadm ttys and ptys. ##

## ##

## Domain allowed access. ##

## # interface(`sysadm_use_terms',` sysadm_use_ttys($1) sysadm_use_ptys($1) ') ######################################## ##

## Do not audit attempts to use sysadm ttys and ptys. ##

## ##

## Domain to not audit. ##

## # interface(`sysadm_dontaudit_use_terms',` sysadm_dontaudit_use_ttys($1) sysadm_dontaudit_use_ptys($1) ') ######################################## ##

## Get the attributes of the sysadm users ## home directory. ##

## ##

## Domain allowed access. ##

## # interface(`sysadm_getattr_home_dirs',` gen_require(` type sysadm_home_dir_t; ') allow $1 sysadm_home_dir_t:dir getattr; ') ######################################## ##

## Do not audit attempts to get the ## attributes of the sysadm users ## home directory. ##

## ##

## Domain to not audit. ##

## # interface(`sysadm_dontaudit_getattr_home_dirs',` gen_require(` type sysadm_home_dir_t; ') dontaudit $1 sysadm_home_dir_t:dir getattr; ') ######################################## ##

## Search the sysadm users home directory. ##

## ##

## Domain to not audit. ##

## # interface(`sysadm_search_home_dirs',` gen_require(` type sysadm_home_dir_t; ') allow $1 sysadm_home_dir_t:dir search_dir_perms; ') ######################################## ##

## Do not audit attempts to search the sysadm ## users home directory. ##

## ##

## Domain to not audit. ##

## # interface(`sysadm_dontaudit_search_home_dirs',` gen_require(` type sysadm_home_dir_t; ') dontaudit $1 sysadm_home_dir_t:dir search_dir_perms; ') ######################################## ##

## List the sysadm users home directory. ##

## ##

## Domain allowed access. ##

## # interface(`sysadm_list_home_dirs',` gen_require(` type sysadm_home_dir_t; ') allow $1 sysadm_home_dir_t:dir list_dir_perms; ') ######################################## ##

## Do not audit attempts to list the sysadm ## users home directory. ##

## ##

## Domain to not audit. ##

## # interface(`sysadm_dontaudit_list_home_dirs',` gen_require(` type sysadm_home_dir_t; ') dontaudit $1 sysadm_home_dir_t:dir list_dir_perms; ') ######################################## ##

## Create objects in sysadm home directories ## with automatic file type transition. ##

## ##

## Domain allowed access. ##

## ## ##

## The type of the object to be created. ##

## ## ##

## The class of the object to be created. ## If not specified, file is used. ##

## # interface(`sysadm_home_dir_filetrans',` gen_require(` type sysadm_home_dir_t; ') filetrans_pattern($1, sysadm_home_dir_t, $2, $3) ') ######################################## ##

## Search the sysadm users home sub directories. ##

## ##

## Domain to not audit. ##

## # interface(`sysadm_search_home_content_dirs',` gen_require(` type sysadm_home_dir_t, sysadm_home_t; ') allow $1 { sysadm_home_dir_t sysadm_home_t }:dir search_dir_perms; ') ######################################## ##

## Read files in the sysadm home directory. ##

## ##

## Domain allowed access. ##

## # interface(`sysadm_read_home_content_files',` gen_require(` type sysadm_home_dir_t, sysadm_home_t; ') files_search_home($1) allow $1 { sysadm_home_dir_t sysadm_home_t }:dir list_dir_perms; read_files_pattern($1, { sysadm_home_dir_t sysadm_home_t }, sysadm_home_t) read_lnk_files_pattern($1, { sysadm_home_dir_t sysadm_home_t }, sysadm_home_t) ') ######################################## ##

## Do not audit attempts to read files in the sysadm ## home directory. ##

## ##

## Domain to not audit. ##

## # interface(`sysadm_dontaudit_read_home_content_files',` gen_require(` type sysadm_home_dir_t, sysadm_home_t; ') dontaudit $1 sysadm_home_dir_t:dir search_dir_perms; dontaudit $1 sysadm_home_t:dir search_dir_perms; dontaudit $1 sysadm_home_t:file read_file_perms; ') ######################################## ##

## Read sysadm temporary files. ##

## ##

## Domain allowed access. ##

## # interface(`sysadm_read_tmp_files',` gen_require(` type sysadm_tmp_t; ') files_search_tmp($1) allow $1 sysadm_tmp_t:dir list_dir_perms; read_files_pattern($1, sysadm_tmp_t, sysadm_tmp_t) read_lnk_files_pattern($1, sysadm_tmp_t, sysadm_tmp_t) ')