Blob Blame History Raw
## <summary>General system administration role</summary>

########################################
## <summary>
##	Change to the system administrator role.
## </summary>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`sysadm_role_change',`
	gen_require(`
		role sysadm_r;
	')

	allow $1 sysadm_r;
')

########################################
## <summary>
##	Change from the system administrator role.
## </summary>
## <desc>
##	<p>
##	Change from the system administrator role to
##	the specified role.
##	</p>
##	<p>
##	This is an interface to support third party modules
##	and its use is not allowed in upstream reference
##	policy.
##	</p>
## </desc>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`sysadm_role_change_to',`
	gen_require(`
		role sysadm_r;
	')

	allow sysadm_r $1;
')

########################################
## <summary>
##	Execute a shell in the sysadm domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`sysadm_shell_domtrans',`
	gen_require(`
		type sysadm_t;
	')

	corecmd_shell_domtrans($1, sysadm_t)
	allow sysadm_t $1:fd use;
	allow sysadm_t $1:fifo_file rw_file_perms;
	allow sysadm_t $1:process sigchld;
')

########################################
## <summary>
##	Execute a generic bin program in the sysadm domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`sysadm_bin_spec_domtrans',`
	gen_require(`
		type sysadm_t;
	')

	corecmd_bin_spec_domtrans($1, sysadm_t)
	allow sysadm_t $1:fd use;
	allow sysadm_t $1:fifo_file rw_file_perms;
	allow sysadm_t $1:process sigchld;
')

########################################
## <summary>
##	Execute all entrypoint files in the sysadm domain. This
##	is an explicit transition, requiring the
##	caller to use setexeccon().
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`sysadm_entry_spec_domtrans',`
	gen_require(`
		type sysadm_t;
	')

	domain_entry_file_spec_domtrans($1, sysadm_t)
	allow sysadm_t $1:fd use;
	allow sysadm_t $1:fifo_file rw_file_perms;
	allow sysadm_t $1:process sigchld;
')

########################################
## <summary>
##	Allow sysadm to execute a generic bin program in
##	a specified domain.  This is an explicit transition,
##	requiring the caller to use setexeccon().
## </summary>
## <desc>
##	<p>
##	Allow sysadm to execute a generic bin program in
##	a specified domain.
##	</p>
##	<p>
##	This is a interface to support third party modules
##	and its use is not allowed in upstream reference
##	policy.
##	</p>
## </desc>
## <param name="domain">
##	<summary>
##	Domain to execute in.
##	</summary>
## </param>
#
interface(`sysadm_bin_spec_domtrans_to',`
	gen_require(`
		type sysadm_t;
	')

	corecmd_bin_spec_domtrans(sysadm_t, $1)
	allow $1 sysadm_t:fd use;
	allow $1 sysadm_t:fifo_file rw_file_perms;
	allow $1 sysadm_t:process sigchld;
')

########################################
## <summary>
##	Send a SIGCHLD signal to sysadm users.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`sysadm_sigchld',`
	gen_require(`
		type sysadm_t;
	')

	allow $1 sysadm_t:process sigchld;
')

########################################
## <summary>
##	Inherit and use sysadm file descriptors
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`sysadm_use_fds',`
	gen_require(`
		type sysadm_t;
	')

	allow $1 sysadm_t:fd use;
')

########################################
## <summary>
##	Read and write sysadm user unnamed pipes.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`sysadm_rw_pipes',`
	gen_require(`
		type sysadm_t;
	')

	allow $1 sysadm_t:fifo_file rw_fifo_file_perms;
')