#DESC Admin - Domains for administrators.

#

#################################

# sysadm_t is the system administrator domain.

type sysadm_t, domain, privlog, privowner, admin, userdomain, web_client_domain, privhome, etc_writer, privmodule, nscd_client_domain

ifdef(`direct_sysadm_daemon', `, priv_system_role, privrangetrans')

; dnl end of sysadm_t type declaration

allow privhome home_root_t:dir { getattr search };

# system_r is authorized for sysadm_t for single-user mode.

role system_r types sysadm_t; 

general_proc_read_access(sysadm_t)

# sysadm_t is also granted permissions specific to administrator domains.

admin_domain(sysadm)

# for su

allow sysadm_t userdomain:fd use;

ifdef(`separate_secadm', `', `

security_manager_domain(sysadm_t)

')

# Add/remove user home directories

file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir)

limited_user_role(secadm)

typeattribute secadm_t admin;

role secadm_r types secadm_t; 

security_manager_domain(secadm_t)

r_dir_file(secadm_t, { var_t var_log_t })

typeattribute secadm_tty_device_t admin_tty_type;

typeattribute secadm_devpts_t admin_tty_type;

bool allow_ptrace false;

if (allow_ptrace) {

can_ptrace(sysadm_t, domain)

}