44 lines
1.2 KiB
Plaintext
44 lines
1.2 KiB
Plaintext
#DESC Admin - Domains for administrators.
|
|
#
|
|
#################################
|
|
|
|
# sysadm_t is the system administrator domain.
|
|
type sysadm_t, domain, privlog, privowner, admin, userdomain, web_client_domain, privhome, etc_writer, privmodule, nscd_client_domain
|
|
ifdef(`direct_sysadm_daemon', `, priv_system_role')
|
|
; dnl end of sysadm_t type declaration
|
|
|
|
allow privhome home_root_t:dir { getattr search };
|
|
|
|
# system_r is authorized for sysadm_t for single-user mode.
|
|
role system_r types sysadm_t;
|
|
|
|
general_proc_read_access(sysadm_t)
|
|
|
|
# sysadm_t is also granted permissions specific to administrator domains.
|
|
admin_domain(sysadm)
|
|
|
|
# for su
|
|
allow sysadm_t userdomain:fd use;
|
|
|
|
ifdef(`separate_secadm', `', `
|
|
security_manager_domain(sysadm_t)
|
|
')
|
|
|
|
# Add/remove user home directories
|
|
file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir)
|
|
|
|
limited_user_role(secadm)
|
|
typeattribute secadm_t admin;
|
|
role secadm_r types secadm_t;
|
|
security_manager_domain(secadm_t)
|
|
r_dir_file(secadm_t, { var_t var_log_t })
|
|
|
|
typeattribute secadm_tty_device_t admin_tty_type;
|
|
typeattribute secadm_devpts_t admin_tty_type;
|
|
|
|
bool allow_ptrace false;
|
|
|
|
if (allow_ptrace) {
|
|
can_ptrace(sysadm_t, domain)
|
|
}
|