| ################################################ |
| # |
| # Role-based access control (RBAC) configuration. |
| # |
| |
| # The RBAC configuration was originally centralized in this |
| # file, but has been decomposed into individual role declarations, |
| # role allow rules, and role transition rules throughout the TE |
| # configuration to support easy removal or adding of domains without |
| # modifying a centralized file each time. This also allowed the macros |
| # to properly instantiate role declarations and rules for domains. |
| # Hence, this file is largely unused, except for miscellaneous |
| # role allow rules. |
| |
| ######################################## |
| # |
| # Role allow rules. |
| # |
| # A role allow rule specifies the allowable |
| # transitions between roles on an execve. |
| # If no rule is specified, then the change in |
| # roles will not be permitted. Additional |
| # controls over role transitions based on the |
| # type of the process may be specified through |
| # the constraints file. |
| # |
| # The syntax of a role allow rule is: |
| # allow current_role new_role ; |
| # |
| # Allow the admin role to transition to the system |
| # role for run_init. |
| # |
| allow sysadm_r system_r; |