Blame mls/domains/program/su.te
|
Chris PeBenito |
31b7c0 |
#DESC Su - Run shells with substitute user and group
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
# Domains for the su program.
|
|
Chris PeBenito |
31b7c0 |
# X-Debian-Packages: login
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
# su_exec_t is the type of the su executable.
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
type su_exec_t, file_type, sysadmfile;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
allow sysadm_su_t user_home_dir_type:dir search;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# Everything else is in the su_domain macro in
|
|
Chris PeBenito |
31b7c0 |
# macros/program/su_macros.te.
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
ifdef(`use_mcs', `
|
|
Chris PeBenito |
31b7c0 |
ifdef(`targeted_policy', `
|
|
Chris PeBenito |
31b7c0 |
range_transition unconfined_t su_exec_t s0 - s0:c0.c255;
|
|
Chris PeBenito |
31b7c0 |
domain_auto_trans(unconfined_t, su_exec_t, sysadm_su_t)
|
|
Chris PeBenito |
31b7c0 |
# allow user to suspend terminal
|
|
Chris PeBenito |
31b7c0 |
allow sysadm_su_t unconfined_t:process signal;
|
|
Chris PeBenito |
31b7c0 |
allow sysadm_su_t self:process { signal sigstop };
|
|
Chris PeBenito |
31b7c0 |
can_exec(sysadm_su_t, bin_t)
|
|
Chris PeBenito |
31b7c0 |
rw_dir_create_file(sysadm_su_t, home_dir_type)
|
|
Chris PeBenito |
31b7c0 |
')
|
|
Chris PeBenito |
31b7c0 |
')
|