|
Chris PeBenito |
e9c6cd |
## <summary>General system administration role</summary>
|
|
Chris PeBenito |
e9c6cd |
|
|
Chris PeBenito |
e9c6cd |
########################################
|
|
Chris PeBenito |
e9c6cd |
## <summary>
|
|
Chris PeBenito |
296273 |
## Change to the system administrator role.
|
|
Chris PeBenito |
e9c6cd |
## </summary>
|
|
Chris PeBenito |
296273 |
## <param name="role">
|
|
Chris PeBenito |
e9c6cd |
## <summary>
|
|
Chris PeBenito |
296273 |
## Role allowed access.
|
|
Chris PeBenito |
e9c6cd |
## </summary>
|
|
Chris PeBenito |
e9c6cd |
## </param>
|
|
Chris PeBenito |
e9c6cd |
## <rolecap/>
|
|
Chris PeBenito |
e9c6cd |
#
|
|
Chris PeBenito |
296273 |
interface(`sysadm_role_change',`
|
|
Chris PeBenito |
296273 |
gen_require(`
|
|
Chris PeBenito |
296273 |
role sysadm_r;
|
|
Chris PeBenito |
296273 |
')
|
|
Chris PeBenito |
296273 |
|
|
Chris PeBenito |
296273 |
allow $1 sysadm_r;
|
|
Chris PeBenito |
e9c6cd |
')
|
|
Chris PeBenito |
e9c6cd |
|
|
Chris PeBenito |
e9c6cd |
########################################
|
|
Chris PeBenito |
e9c6cd |
## <summary>
|
|
Chris PeBenito |
296273 |
## Change from the system administrator role.
|
|
Chris PeBenito |
e9c6cd |
## </summary>
|
|
Chris PeBenito |
e9c6cd |
## <desc>
|
|
Chris PeBenito |
e9c6cd |
##
|
|
Chris PeBenito |
296273 |
## Change from the system administrator role to
|
|
Chris PeBenito |
e9c6cd |
## the specified role.
|
|
Chris PeBenito |
e9c6cd |
##
|
|
Chris PeBenito |
e9c6cd |
##
|
|
Chris PeBenito |
296273 |
## This is an interface to support third party modules
|
|
Chris PeBenito |
e9c6cd |
## and its use is not allowed in upstream reference
|
|
Chris PeBenito |
e9c6cd |
## policy.
|
|
Chris PeBenito |
e9c6cd |
##
|
|
Chris PeBenito |
e9c6cd |
## </desc>
|
|
Chris PeBenito |
296273 |
## <param name="role">
|
|
Chris PeBenito |
e9c6cd |
## <summary>
|
|
Chris PeBenito |
296273 |
## Role allowed access.
|
|
Chris PeBenito |
e9c6cd |
## </summary>
|
|
Chris PeBenito |
e9c6cd |
## </param>
|
|
Chris PeBenito |
e9c6cd |
## <rolecap/>
|
|
Chris PeBenito |
e9c6cd |
#
|
|
Chris PeBenito |
296273 |
interface(`sysadm_role_change_to',`
|
|
Chris PeBenito |
296273 |
gen_require(`
|
|
Chris PeBenito |
296273 |
role sysadm_r;
|
|
Chris PeBenito |
296273 |
')
|
|
Chris PeBenito |
296273 |
|
|
Chris PeBenito |
296273 |
allow sysadm_r $1;
|
|
Chris PeBenito |
e9c6cd |
')
|
|
Chris PeBenito |
e9c6cd |
|
|
Chris PeBenito |
e9c6cd |
########################################
|
|
Chris PeBenito |
e9c6cd |
## <summary>
|
|
Chris PeBenito |
e9c6cd |
## Execute a shell in the sysadm domain.
|
|
Chris PeBenito |
e9c6cd |
## </summary>
|
|
Chris PeBenito |
e9c6cd |
## <param name="domain">
|
|
Chris PeBenito |
e9c6cd |
## <summary>
|
|
Chris PeBenito |
e9c6cd |
## Domain allowed access.
|
|
Chris PeBenito |
e9c6cd |
## </summary>
|
|
Chris PeBenito |
e9c6cd |
## </param>
|
|
Chris PeBenito |
e9c6cd |
#
|
|
Chris PeBenito |
e9c6cd |
interface(`sysadm_shell_domtrans',`
|
|
Chris PeBenito |
e9c6cd |
gen_require(`
|
|
Chris PeBenito |
e9c6cd |
type sysadm_t;
|
|
Chris PeBenito |
e9c6cd |
')
|
|
Chris PeBenito |
e9c6cd |
|
|
Chris PeBenito |
e9c6cd |
corecmd_shell_domtrans($1, sysadm_t)
|
|
Chris PeBenito |
e9c6cd |
allow sysadm_t $1:fd use;
|
|
Chris PeBenito |
e9c6cd |
allow sysadm_t $1:fifo_file rw_file_perms;
|
|
Chris PeBenito |
e9c6cd |
allow sysadm_t $1:process sigchld;
|
|
Chris PeBenito |
e9c6cd |
')
|
|
Chris PeBenito |
e9c6cd |
|
|
Chris PeBenito |
e9c6cd |
########################################
|
|
Chris PeBenito |
e9c6cd |
## <summary>
|
|
Chris PeBenito |
e9c6cd |
## Execute a generic bin program in the sysadm domain.
|
|
Chris PeBenito |
e9c6cd |
## </summary>
|
|
Chris PeBenito |
e9c6cd |
## <param name="domain">
|
|
Chris PeBenito |
e9c6cd |
## <summary>
|
|
Chris PeBenito |
e9c6cd |
## Domain allowed access.
|
|
Chris PeBenito |
e9c6cd |
## </summary>
|
|
Chris PeBenito |
e9c6cd |
## </param>
|
|
Chris PeBenito |
e9c6cd |
#
|
|
Chris PeBenito |
e9c6cd |
interface(`sysadm_bin_spec_domtrans',`
|
|
Chris PeBenito |
e9c6cd |
gen_require(`
|
|
Chris PeBenito |
e9c6cd |
type sysadm_t;
|
|
Chris PeBenito |
e9c6cd |
')
|
|
Chris PeBenito |
e9c6cd |
|
|
Chris PeBenito |
e9c6cd |
corecmd_bin_spec_domtrans($1, sysadm_t)
|
|
Chris PeBenito |
e9c6cd |
allow sysadm_t $1:fd use;
|
|
Chris PeBenito |
e9c6cd |
allow sysadm_t $1:fifo_file rw_file_perms;
|
|
Chris PeBenito |
e9c6cd |
allow sysadm_t $1:process sigchld;
|
|
Chris PeBenito |
e9c6cd |
')
|
|
Chris PeBenito |
e9c6cd |
|
|
Chris PeBenito |
e9c6cd |
########################################
|
|
Chris PeBenito |
e9c6cd |
## <summary>
|
|
Chris PeBenito |
e9c6cd |
## Execute all entrypoint files in the sysadm domain. This
|
|
Chris PeBenito |
e9c6cd |
## is an explicit transition, requiring the
|
|
Chris PeBenito |
e9c6cd |
## caller to use setexeccon().
|
|
Chris PeBenito |
e9c6cd |
## </summary>
|
|
Chris PeBenito |
e9c6cd |
## <param name="domain">
|
|
Chris PeBenito |
e9c6cd |
## <summary>
|
|
Chris PeBenito |
e9c6cd |
## Domain allowed access.
|
|
Chris PeBenito |
e9c6cd |
## </summary>
|
|
Chris PeBenito |
e9c6cd |
## </param>
|
|
Chris PeBenito |
e9c6cd |
#
|
|
Chris PeBenito |
e9c6cd |
interface(`sysadm_entry_spec_domtrans',`
|
|
Chris PeBenito |
e9c6cd |
gen_require(`
|
|
Chris PeBenito |
e9c6cd |
type sysadm_t;
|
|
Chris PeBenito |
e9c6cd |
')
|
|
Chris PeBenito |
e9c6cd |
|
|
Chris PeBenito |
e9c6cd |
domain_entry_file_spec_domtrans($1, sysadm_t)
|
|
Chris PeBenito |
e9c6cd |
allow sysadm_t $1:fd use;
|
|
Chris PeBenito |
e9c6cd |
allow sysadm_t $1:fifo_file rw_file_perms;
|
|
Chris PeBenito |
e9c6cd |
allow sysadm_t $1:process sigchld;
|
|
Chris PeBenito |
e9c6cd |
')
|
|
Chris PeBenito |
e9c6cd |
|
|
Chris PeBenito |
e9c6cd |
########################################
|
|
Chris PeBenito |
e9c6cd |
## <summary>
|
|
Chris PeBenito |
64daa8 |
## Allow sysadm to execute all entrypoint files in
|
|
Chris PeBenito |
64daa8 |
## a specified domain. This is an explicit transition,
|
|
Chris PeBenito |
64daa8 |
## requiring the caller to use setexeccon().
|
|
Chris PeBenito |
64daa8 |
## </summary>
|
|
Chris PeBenito |
64daa8 |
## <desc>
|
|
Chris PeBenito |
64daa8 |
##
|
|
Chris PeBenito |
64daa8 |
## Allow sysadm to execute all entrypoint files in
|
|
Chris PeBenito |
64daa8 |
## a specified domain. This is an explicit transition,
|
|
Chris PeBenito |
64daa8 |
## requiring the caller to use setexeccon().
|
|
Chris PeBenito |
64daa8 |
##
|
|
Chris PeBenito |
64daa8 |
##
|
|
Chris PeBenito |
64daa8 |
## This is a interface to support third party modules
|
|
Chris PeBenito |
64daa8 |
## and its use is not allowed in upstream reference
|
|
Chris PeBenito |
64daa8 |
## policy.
|
|
Chris PeBenito |
64daa8 |
##
|
|
Chris PeBenito |
64daa8 |
## </desc>
|
|
Chris PeBenito |
64daa8 |
## <param name="domain">
|
|
Chris PeBenito |
64daa8 |
## <summary>
|
|
Chris PeBenito |
64daa8 |
## Domain allowed access.
|
|
Chris PeBenito |
64daa8 |
## </summary>
|
|
Chris PeBenito |
64daa8 |
## </param>
|
|
Chris PeBenito |
64daa8 |
#
|
|
Chris PeBenito |
64daa8 |
interface(`sysadm_entry_spec_domtrans_to',`
|
|
Chris PeBenito |
64daa8 |
gen_require(`
|
|
Chris PeBenito |
64daa8 |
type sysadm_t;
|
|
Chris PeBenito |
64daa8 |
')
|
|
Chris PeBenito |
64daa8 |
|
|
Chris PeBenito |
64daa8 |
domain_entry_file_spec_domtrans(sysadm_t, $1)
|
|
Chris PeBenito |
64daa8 |
allow $1 sysadm_t:fd use;
|
|
Chris PeBenito |
64daa8 |
allow $1 sysadm_t:fifo_file rw_file_perms;
|
|
Chris PeBenito |
64daa8 |
allow $1 sysadm_t:process sigchld;
|
|
Chris PeBenito |
64daa8 |
')
|
|
Chris PeBenito |
64daa8 |
|
|
Chris PeBenito |
64daa8 |
########################################
|
|
Chris PeBenito |
64daa8 |
## <summary>
|
|
Chris PeBenito |
e9c6cd |
## Allow sysadm to execute a generic bin program in
|
|
Chris PeBenito |
e9c6cd |
## a specified domain. This is an explicit transition,
|
|
Chris PeBenito |
e9c6cd |
## requiring the caller to use setexeccon().
|
|
Chris PeBenito |
e9c6cd |
## </summary>
|
|
Chris PeBenito |
e9c6cd |
## <desc>
|
|
Chris PeBenito |
e9c6cd |
##
|
|
Chris PeBenito |
e9c6cd |
## Allow sysadm to execute a generic bin program in
|
|
Chris PeBenito |
e9c6cd |
## a specified domain.
|
|
Chris PeBenito |
e9c6cd |
##
|
|
Chris PeBenito |
e9c6cd |
##
|
|
Chris PeBenito |
e9c6cd |
## This is a interface to support third party modules
|
|
Chris PeBenito |
e9c6cd |
## and its use is not allowed in upstream reference
|
|
Chris PeBenito |
e9c6cd |
## policy.
|
|
Chris PeBenito |
e9c6cd |
##
|
|
Chris PeBenito |
e9c6cd |
## </desc>
|
|
Chris PeBenito |
e9c6cd |
## <param name="domain">
|
|
Chris PeBenito |
e9c6cd |
## <summary>
|
|
Chris PeBenito |
e9c6cd |
## Domain to execute in.
|
|
Chris PeBenito |
e9c6cd |
## </summary>
|
|
Chris PeBenito |
e9c6cd |
## </param>
|
|
Chris PeBenito |
e9c6cd |
#
|
|
Chris PeBenito |
e9c6cd |
interface(`sysadm_bin_spec_domtrans_to',`
|
|
Chris PeBenito |
e9c6cd |
gen_require(`
|
|
Chris PeBenito |
e9c6cd |
type sysadm_t;
|
|
Chris PeBenito |
e9c6cd |
')
|
|
Chris PeBenito |
e9c6cd |
|
|
Chris PeBenito |
e9c6cd |
corecmd_bin_spec_domtrans(sysadm_t, $1)
|
|
Chris PeBenito |
e9c6cd |
allow $1 sysadm_t:fd use;
|
|
Chris PeBenito |
e9c6cd |
allow $1 sysadm_t:fifo_file rw_file_perms;
|
|
Chris PeBenito |
e9c6cd |
allow $1 sysadm_t:process sigchld;
|
|
Chris PeBenito |
e9c6cd |
')
|
|
Chris PeBenito |
e9c6cd |
|
|
Chris PeBenito |
e9c6cd |
########################################
|
|
Chris PeBenito |
e9c6cd |
## <summary>
|
|
Chris PeBenito |
e9c6cd |
## Send a SIGCHLD signal to sysadm users.
|
|
Chris PeBenito |
e9c6cd |
## </summary>
|
|
Chris PeBenito |
e9c6cd |
## <param name="domain">
|
|
Chris PeBenito |
e9c6cd |
## <summary>
|
|
Chris PeBenito |
e9c6cd |
## Domain allowed access.
|
|
Chris PeBenito |
e9c6cd |
## </summary>
|
|
Chris PeBenito |
e9c6cd |
## </param>
|
|
Chris PeBenito |
e9c6cd |
#
|
|
Chris PeBenito |
e9c6cd |
interface(`sysadm_sigchld',`
|
|
Chris PeBenito |
e9c6cd |
gen_require(`
|
|
Chris PeBenito |
e9c6cd |
type sysadm_t;
|
|
Chris PeBenito |
e9c6cd |
')
|
|
Chris PeBenito |
e9c6cd |
|
|
Chris PeBenito |
e9c6cd |
allow $1 sysadm_t:process sigchld;
|
|
Chris PeBenito |
e9c6cd |
')
|
|
Chris PeBenito |
e9c6cd |
|
|
Chris PeBenito |
e9c6cd |
########################################
|
|
Chris PeBenito |
e9c6cd |
## <summary>
|
|
Chris PeBenito |
e9c6cd |
## Inherit and use sysadm file descriptors
|
|
Chris PeBenito |
e9c6cd |
## </summary>
|
|
Chris PeBenito |
e9c6cd |
## <param name="domain">
|
|
Chris PeBenito |
e9c6cd |
## <summary>
|
|
Chris PeBenito |
e9c6cd |
## Domain allowed access.
|
|
Chris PeBenito |
e9c6cd |
## </summary>
|
|
Chris PeBenito |
e9c6cd |
## </param>
|
|
Chris PeBenito |
e9c6cd |
#
|
|
Chris PeBenito |
e9c6cd |
interface(`sysadm_use_fds',`
|
|
Chris PeBenito |
e9c6cd |
gen_require(`
|
|
Chris PeBenito |
e9c6cd |
type sysadm_t;
|
|
Chris PeBenito |
e9c6cd |
')
|
|
Chris PeBenito |
e9c6cd |
|
|
Chris PeBenito |
e9c6cd |
allow $1 sysadm_t:fd use;
|
|
Chris PeBenito |
e9c6cd |
')
|
|
Chris PeBenito |
e9c6cd |
|
|
Chris PeBenito |
e9c6cd |
########################################
|
|
Chris PeBenito |
e9c6cd |
## <summary>
|
|
Chris PeBenito |
e9c6cd |
## Read and write sysadm user unnamed pipes.
|
|
Chris PeBenito |
e9c6cd |
## </summary>
|
|
Chris PeBenito |
e9c6cd |
## <param name="domain">
|
|
Chris PeBenito |
e9c6cd |
## <summary>
|
|
Chris PeBenito |
e9c6cd |
## Domain allowed access.
|
|
Chris PeBenito |
e9c6cd |
## </summary>
|
|
Chris PeBenito |
e9c6cd |
## </param>
|
|
Chris PeBenito |
e9c6cd |
#
|
|
Chris PeBenito |
e9c6cd |
interface(`sysadm_rw_pipes',`
|
|
Chris PeBenito |
e9c6cd |
gen_require(`
|
|
Chris PeBenito |
e9c6cd |
type sysadm_t;
|
|
Chris PeBenito |
e9c6cd |
')
|
|
Chris PeBenito |
e9c6cd |
|
|
Chris PeBenito |
e9c6cd |
allow $1 sysadm_t:fifo_file rw_fifo_file_perms;
|
|
Chris PeBenito |
e9c6cd |
')
|