selinux-refpolicy/strict/macros/program/sudo_macros.te

35 lines
1.1 KiB
Plaintext
Raw Normal View History

2005-04-29 17:45:15 +00:00
# Authors: Dan Walsh, Russell Coker
# Maintained by Dan Walsh <dwalsh@redhat.com>
define(`sudo_domain',`
newrole_domain($1_sudo, `, privuser')
# By default, revert to the calling domain when a shell is executed.
domain_auto_trans($1_sudo_t, shell_exec_t, $1_t)
ifdef(`mta.te', `
domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t)
allow $1_mail_t $1_sudo_t:fifo_file rw_file_perms;
')
allow $1_sudo_t self:capability sys_resource;
allow $1_sudo_t self:process setrlimit;
ifdef(`pam.te', `
allow $1_sudo_t pam_var_run_t:dir create_dir_perms;
allow $1_sudo_t pam_var_run_t:file create_file_perms;
')
allow $1_sudo_t initrc_var_run_t:file rw_file_perms;
allow $1_sudo_t sysctl_t:dir search;
allow $1_sudo_t { su_exec_t etc_t lib_t usr_t bin_t sbin_t exec_type } :file getattr;
allow $1_sudo_t { su_exec_t etc_t lib_t usr_t bin_t sbin_t exec_type } :lnk_file { getattr read };
read_sysctl($1_sudo_t)
allow $1_sudo_t var_run_t:dir search;
r_dir_file($1_sudo_t, default_context_t)
rw_dir_create_file($1_sudo_t, $1_tmp_t)
rw_dir_create_file($1_sudo_t, $1_home_t)
domain_auto_trans($1_t, sudo_exec_t, $1_sudo_t)
')