|
Chris PeBenito |
0fbfa5 |
#DESC Admin - Domains for administrators.
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
#################################
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# sysadm_t is the system administrator domain.
|
|
Chris PeBenito |
0fbfa5 |
type sysadm_t, domain, privlog, privowner, admin, userdomain, web_client_domain, privhome, etc_writer, privmodule, nscd_client_domain
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`direct_sysadm_daemon', `, priv_system_role')
|
|
Chris PeBenito |
0fbfa5 |
; dnl end of sysadm_t type declaration
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow privhome home_root_t:dir { getattr search };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# system_r is authorized for sysadm_t for single-user mode.
|
|
Chris PeBenito |
0fbfa5 |
role system_r types sysadm_t;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
general_proc_read_access(sysadm_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# sysadm_t is also granted permissions specific to administrator domains.
|
|
Chris PeBenito |
0fbfa5 |
admin_domain(sysadm)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Allow administrator domains to set the enforcing flag.
|
|
Chris PeBenito |
0fbfa5 |
can_setenforce(sysadm_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Allow administrator domains to set policy booleans.
|
|
Chris PeBenito |
0fbfa5 |
can_setbool(sysadm_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Allow administrator domains to set security parameters
|
|
Chris PeBenito |
0fbfa5 |
can_setsecparam(sysadm_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# for su
|
|
Chris PeBenito |
0fbfa5 |
allow sysadm_t userdomain:fd use;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
define(`admin_tty_type', `{ sysadm_tty_device_t sysadm_devpts_t }')
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Add/remove user home directories
|
|
Chris PeBenito |
0fbfa5 |
file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir)
|