Blob Blame History Raw
## <summary>General system administration role</summary>

########################################
## <summary>
##	Change to the generic user role.
## </summary>
## <param name="prefix">
##	<summary>
##	The prefix of the user role (e.g., user
##	is the prefix for user_r).
##	</summary>
## </param>
## <rolecap/>
#
template(`sysadm_role_change_template',`
	userdom_role_change_template($1, sysadm)
')

########################################
## <summary>
##	Change from the generic user role.
## </summary>
## <desc>
##	<p>
##	Change from the generic user role to
##	the specified role.
##	</p>
##	<p>
##	This is a template to support third party modules
##	and its use is not allowed in upstream reference
##	policy.
##	</p>
## </desc>
## <param name="prefix">
##	<summary>
##	The prefix of the user role (e.g., user
##	is the prefix for user_r).
##	</summary>
## </param>
## <rolecap/>
#
template(`sysadm_role_change_to_template',`
	userdom_role_change_template(sysadm, $1)
')

########################################
## <summary>
##	Execute a shell in the sysadm domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`sysadm_shell_domtrans',`
	gen_require(`
		type sysadm_t;
	')

	corecmd_shell_domtrans($1, sysadm_t)
	allow sysadm_t $1:fd use;
	allow sysadm_t $1:fifo_file rw_file_perms;
	allow sysadm_t $1:process sigchld;
')

########################################
## <summary>
##	Execute a generic bin program in the sysadm domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`sysadm_bin_spec_domtrans',`
	gen_require(`
		type sysadm_t;
	')

	corecmd_bin_spec_domtrans($1, sysadm_t)
	allow sysadm_t $1:fd use;
	allow sysadm_t $1:fifo_file rw_file_perms;
	allow sysadm_t $1:process sigchld;
')

########################################
## <summary>
##	Execute all entrypoint files in the sysadm domain. This
##	is an explicit transition, requiring the
##	caller to use setexeccon().
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`sysadm_entry_spec_domtrans',`
	gen_require(`
		type sysadm_t;
	')

	domain_entry_file_spec_domtrans($1, sysadm_t)
	allow sysadm_t $1:fd use;
	allow sysadm_t $1:fifo_file rw_file_perms;
	allow sysadm_t $1:process sigchld;
')

########################################
## <summary>
##	Allow sysadm to execute a generic bin program in
##	a specified domain.  This is an explicit transition,
##	requiring the caller to use setexeccon().
## </summary>
## <desc>
##	<p>
##	Allow sysadm to execute a generic bin program in
##	a specified domain.
##	</p>
##	<p>
##	This is a interface to support third party modules
##	and its use is not allowed in upstream reference
##	policy.
##	</p>
## </desc>
## <param name="domain">
##	<summary>
##	Domain to execute in.
##	</summary>
## </param>
#
interface(`sysadm_bin_spec_domtrans_to',`
	gen_require(`
		type sysadm_t;
	')

	corecmd_bin_spec_domtrans(sysadm_t, $1)
	allow $1 sysadm_t:fd use;
	allow $1 sysadm_t:fifo_file rw_file_perms;
	allow $1 sysadm_t:process sigchld;
')

########################################
## <summary>
##	Send a SIGCHLD signal to sysadm users.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`sysadm_sigchld',`
	gen_require(`
		type sysadm_t;
	')

	allow $1 sysadm_t:process sigchld;
')

########################################
## <summary>
##	Inherit and use sysadm file descriptors
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`sysadm_use_fds',`
	gen_require(`
		type sysadm_t;
	')

	allow $1 sysadm_t:fd use;
')

########################################
## <summary>
##	Read and write sysadm user unnamed pipes.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`sysadm_rw_pipes',`
	gen_require(`
		type sysadm_t;
	')

	allow $1 sysadm_t:fifo_file rw_fifo_file_perms;
')

########################################
## <summary>
##	Do not audit attepts to get the attributes
##	of sysadm ttys.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`sysadm_dontaudit_getattr_ttys',`
	gen_require(`
		type sysadm_tty_device_t;
	')

	dontaudit $1 sysadm_tty_device_t:chr_file getattr;
')

########################################
## <summary>
##	Read and write sysadm ttys.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`sysadm_use_ttys',`
	gen_require(`
		type sysadm_tty_device_t;
	')

	dev_list_all_dev_nodes($1)
	term_list_ptys($1)
	allow $1 sysadm_tty_device_t:chr_file rw_term_perms;
')

########################################
## <summary>
##	Do not audit attempts to use sysadm ttys.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`sysadm_dontaudit_use_ttys',`
	gen_require(`
		type sysadm_tty_device_t;
	')

	dontaudit $1 sysadm_tty_device_t:chr_file { read write };
')

########################################
## <summary>
##	Read and write sysadm ptys.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`sysadm_use_ptys',`
	gen_require(`
		type sysadm_devpts_t;
	')

	dev_list_all_dev_nodes($1)
	term_list_ptys($1)
	allow $1 sysadm_devpts_t:chr_file rw_term_perms;
')

########################################
## <summary>
##	Dont audit attempts to read and write sysadm ptys.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`sysadm_dontaudit_use_ptys',`
	gen_require(`
		type sysadm_devpts_t;
	')

	dontaudit $1 sysadm_devpts_t:chr_file { read write };
')

########################################
## <summary>
##	Read and write sysadm ttys and ptys.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`sysadm_use_terms',`
	sysadm_use_ttys($1)
	sysadm_use_ptys($1)
')

########################################
## <summary>
##	Do not audit attempts to use sysadm ttys and ptys.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`sysadm_dontaudit_use_terms',`
	sysadm_dontaudit_use_ttys($1)
	sysadm_dontaudit_use_ptys($1)
')

########################################
## <summary>
##	Get the attributes of the sysadm users
##	home directory.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`sysadm_getattr_home_dirs',`
	gen_require(`
		type sysadm_home_dir_t;
	')

	allow $1 sysadm_home_dir_t:dir getattr;
')

########################################
## <summary>
##	Do not audit attempts to get the
##	attributes of the sysadm users
##	home directory.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`sysadm_dontaudit_getattr_home_dirs',`
	gen_require(`
		type sysadm_home_dir_t;
	')

	dontaudit $1 sysadm_home_dir_t:dir getattr;
')

########################################
## <summary>
##	Search the sysadm users home directory.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`sysadm_search_home_dirs',`
	gen_require(`
		type sysadm_home_dir_t;
	')

	allow $1 sysadm_home_dir_t:dir search_dir_perms;
')

########################################
## <summary>
##	Do not audit attempts to search the sysadm
##	users home directory.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`sysadm_dontaudit_search_home_dirs',`
	gen_require(`
		type sysadm_home_dir_t;
	')

	dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
')

########################################
## <summary>
##	List the sysadm users home directory.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`sysadm_list_home_dirs',`
	gen_require(`
		type sysadm_home_dir_t;
	')

	allow $1 sysadm_home_dir_t:dir list_dir_perms;
')

########################################
## <summary>
##	Do not audit attempts to list the sysadm
##	users home directory.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`sysadm_dontaudit_list_home_dirs',`
	gen_require(`
		type sysadm_home_dir_t;
	')

	dontaudit $1 sysadm_home_dir_t:dir list_dir_perms;
')

########################################
## <summary>
##	Create objects in sysadm home directories
##	with automatic file type transition.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="private type">
##	<summary>
##	The type of the object to be created.
##	</summary>
## </param>
## <param name="object_class">
##	<summary>
##	The class of the object to be created.
##	If not specified, file is used.
##	</summary>
## </param>
#
interface(`sysadm_home_dir_filetrans',`
	gen_require(`
		type sysadm_home_dir_t;
	')

	filetrans_pattern($1, sysadm_home_dir_t, $2, $3)
')

########################################
## <summary>
##	Search the sysadm users home sub directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`sysadm_search_home_content_dirs',`
	gen_require(`
		type sysadm_home_dir_t, sysadm_home_t;
	')

	allow $1 { sysadm_home_dir_t sysadm_home_t }:dir search_dir_perms;
')

########################################
## <summary>
##	Read files in the sysadm home directory.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`sysadm_read_home_content_files',`
	gen_require(`
		type sysadm_home_dir_t, sysadm_home_t;
	')

	files_search_home($1)
	allow $1 { sysadm_home_dir_t sysadm_home_t }:dir list_dir_perms;
	read_files_pattern($1, { sysadm_home_dir_t sysadm_home_t }, sysadm_home_t)
	read_lnk_files_pattern($1, { sysadm_home_dir_t sysadm_home_t }, sysadm_home_t)
')

########################################
## <summary>
##	Do not audit attempts to read files in the sysadm
##	home directory.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`sysadm_dontaudit_read_home_content_files',`
	gen_require(`
		type sysadm_home_dir_t, sysadm_home_t;
	')

	dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
	dontaudit $1 sysadm_home_t:dir search_dir_perms;
	dontaudit $1 sysadm_home_t:file read_file_perms;
')

########################################
## <summary>
##	Read sysadm temporary files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`sysadm_read_tmp_files',`
	gen_require(`
		type sysadm_tmp_t;
	')

	files_search_tmp($1)
	allow $1 sysadm_tmp_t:dir list_dir_perms;
	read_files_pattern($1, sysadm_tmp_t, sysadm_tmp_t)
	read_lnk_files_pattern($1, sysadm_tmp_t, sysadm_tmp_t)
')