selinux-refpolicy/policy/modules/admin/sudo.te

policy_module(sudo)

## <desc>
##	<p>
##	Determine whether all sudo domains
##	can connect to TCP HTTP ports. This
##	is needed if an additional authentication
##	mechanism via an HTTP server is
##	required for users to use sudo.
##	</p>
## </desc>
gen_tunable(sudo_all_tcp_connect_http_port, false)

## <desc>
##	<p>
##	Determine whether the user application exec
##	domain attribute should be respected for sudo
##	access. If not enabled, only user domains
##	themselves may use sudo.
##	</p>
## </desc>
gen_tunable(sudo_allow_user_exec_domains, false)

########################################
#
# Declarations
attribute sudodomain;

type sudo_exec_t;
application_executable_file(sudo_exec_t)

tunable_policy(`sudo_all_tcp_connect_http_port',`
	corenet_tcp_connect_http_port(sudodomain)
')
Drop module versioning. Semodule stopped using this many years ago. The policy_module() macro will continue to support an optional second parameter as version. If it is not specified, a default value of 1 is set. Signed-off-by: Chris PeBenito <pebenito@ieee.org> 2022-01-06 13:55:54 +00:00			`policy_module(sudo)`
add sudo 2005-08-09 19:30:43 +00:00
sudo: add tunable for HTTP connections Signed-off-by: Kenton Groombridge <me@concord.sh> 2021-01-26 23:08:54 +00:00			`## <desc>`
			`## <p>`
			`## Determine whether all sudo domains`
			`## can connect to TCP HTTP ports. This`
			`## is needed if an additional authentication`
			`## mechanism via an HTTP server is`
			`## required for users to use sudo.`
			`## </p>`
			`## </desc>`
			`gen_tunable(sudo_all_tcp_connect_http_port, false)`

sudo: add tunable to control user exec domain access The tunable 'sudo_allow_user_exec_domains' only allows user domains themselves to use sudo if disabled (default), otherwise any domain with the corresponding user exec domain attribute may use sudo. Signed-off-by: Kenton Groombridge <me@concord.sh> 2021-08-08 15:10:47 +00:00			`## <desc>`
			`## <p>`
			`## Determine whether the user application exec`
			`## domain attribute should be respected for sudo`
			`## access. If not enabled, only user domains`
			`## themselves may use sudo.`
			`## </p>`
			`## </desc>`
			`gen_tunable(sudo_allow_user_exec_domains, false)`

add sudo 2005-08-09 19:30:43 +00:00			`########################################`
			`#`
			`# Declarations`
sudo patch from dan. 2009-07-28 14:29:11 +00:00			`attribute sudodomain;`
add sudo 2005-08-09 19:30:43 +00:00
			`type sudo_exec_t;`
trunk: add application module 2007-07-19 18:57:48 +00:00			`application_executable_file(sudo_exec_t)`
sudo: add tunable for HTTP connections Signed-off-by: Kenton Groombridge <me@concord.sh> 2021-01-26 23:08:54 +00:00
			tunable_policy(`sudo_all_tcp_connect_http_port',`
			`corenet_tcp_connect_http_port(sudodomain)`
			`')`