selinux-refpolicy/policy/modules/roles/sysadm.if

548 lines
11 KiB
Plaintext
Raw Normal View History

## <summary>General system administration role</summary>
########################################
## <summary>
## Change to the generic user role.
## </summary>
## <param name="prefix">
## <summary>
## The prefix of the user role (e.g., user
## is the prefix for user_r).
## </summary>
## </param>
## <rolecap/>
#
template(`sysadm_role_change_template',`
userdom_role_change_template($1, sysadm)
')
########################################
## <summary>
## Change from the generic user role.
## </summary>
## <desc>
## <p>
## Change from the generic user role to
## the specified role.
## </p>
## <p>
## This is a template to support third party modules
## and its use is not allowed in upstream reference
## policy.
## </p>
## </desc>
## <param name="prefix">
## <summary>
## The prefix of the user role (e.g., user
## is the prefix for user_r).
## </summary>
## </param>
## <rolecap/>
#
template(`sysadm_role_change_to_template',`
userdom_role_change_template(sysadm, $1)
')
########################################
## <summary>
## Execute a shell in the sysadm domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysadm_shell_domtrans',`
gen_require(`
type sysadm_t;
')
corecmd_shell_domtrans($1, sysadm_t)
allow sysadm_t $1:fd use;
allow sysadm_t $1:fifo_file rw_file_perms;
allow sysadm_t $1:process sigchld;
')
########################################
## <summary>
## Execute a generic bin program in the sysadm domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysadm_bin_spec_domtrans',`
gen_require(`
type sysadm_t;
')
corecmd_bin_spec_domtrans($1, sysadm_t)
allow sysadm_t $1:fd use;
allow sysadm_t $1:fifo_file rw_file_perms;
allow sysadm_t $1:process sigchld;
')
########################################
## <summary>
## Execute all entrypoint files in the sysadm domain. This
## is an explicit transition, requiring the
## caller to use setexeccon().
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysadm_entry_spec_domtrans',`
gen_require(`
type sysadm_t;
')
domain_entry_file_spec_domtrans($1, sysadm_t)
allow sysadm_t $1:fd use;
allow sysadm_t $1:fifo_file rw_file_perms;
allow sysadm_t $1:process sigchld;
')
########################################
## <summary>
## Allow sysadm to execute a generic bin program in
## a specified domain. This is an explicit transition,
## requiring the caller to use setexeccon().
## </summary>
## <desc>
## <p>
## Allow sysadm to execute a generic bin program in
## a specified domain.
## </p>
## <p>
## This is a interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain to execute in.
## </summary>
## </param>
#
interface(`sysadm_bin_spec_domtrans_to',`
gen_require(`
type sysadm_t;
')
corecmd_bin_spec_domtrans(sysadm_t, $1)
allow $1 sysadm_t:fd use;
allow $1 sysadm_t:fifo_file rw_file_perms;
allow $1 sysadm_t:process sigchld;
')
########################################
## <summary>
## Send a SIGCHLD signal to sysadm users.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysadm_sigchld',`
gen_require(`
type sysadm_t;
')
allow $1 sysadm_t:process sigchld;
')
########################################
## <summary>
## Inherit and use sysadm file descriptors
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysadm_use_fds',`
gen_require(`
type sysadm_t;
')
allow $1 sysadm_t:fd use;
')
########################################
## <summary>
## Read and write sysadm user unnamed pipes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysadm_rw_pipes',`
gen_require(`
type sysadm_t;
')
allow $1 sysadm_t:fifo_file rw_fifo_file_perms;
')
########################################
## <summary>
## Do not audit attepts to get the attributes
## of sysadm ttys.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysadm_dontaudit_getattr_ttys',`
gen_require(`
type sysadm_tty_device_t;
')
dontaudit $1 sysadm_tty_device_t:chr_file getattr;
')
########################################
## <summary>
## Read and write sysadm ttys.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysadm_use_ttys',`
gen_require(`
type sysadm_tty_device_t;
')
dev_list_all_dev_nodes($1)
term_list_ptys($1)
allow $1 sysadm_tty_device_t:chr_file rw_term_perms;
')
########################################
## <summary>
## Do not audit attempts to use sysadm ttys.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`sysadm_dontaudit_use_ttys',`
gen_require(`
type sysadm_tty_device_t;
')
dontaudit $1 sysadm_tty_device_t:chr_file { read write };
')
########################################
## <summary>
## Read and write sysadm ptys.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysadm_use_ptys',`
gen_require(`
type sysadm_devpts_t;
')
dev_list_all_dev_nodes($1)
term_list_ptys($1)
allow $1 sysadm_devpts_t:chr_file rw_term_perms;
')
########################################
## <summary>
## Dont audit attempts to read and write sysadm ptys.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`sysadm_dontaudit_use_ptys',`
gen_require(`
type sysadm_devpts_t;
')
dontaudit $1 sysadm_devpts_t:chr_file { read write };
')
########################################
## <summary>
## Read and write sysadm ttys and ptys.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysadm_use_terms',`
sysadm_use_ttys($1)
sysadm_use_ptys($1)
')
########################################
## <summary>
## Do not audit attempts to use sysadm ttys and ptys.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`sysadm_dontaudit_use_terms',`
sysadm_dontaudit_use_ttys($1)
sysadm_dontaudit_use_ptys($1)
')
########################################
## <summary>
## Get the attributes of the sysadm users
## home directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysadm_getattr_home_dirs',`
gen_require(`
type sysadm_home_dir_t;
')
allow $1 sysadm_home_dir_t:dir getattr;
')
########################################
## <summary>
## Do not audit attempts to get the
## attributes of the sysadm users
## home directory.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`sysadm_dontaudit_getattr_home_dirs',`
gen_require(`
type sysadm_home_dir_t;
')
dontaudit $1 sysadm_home_dir_t:dir getattr;
')
########################################
## <summary>
## Search the sysadm users home directory.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`sysadm_search_home_dirs',`
gen_require(`
type sysadm_home_dir_t;
')
allow $1 sysadm_home_dir_t:dir search_dir_perms;
')
########################################
## <summary>
## Do not audit attempts to search the sysadm
## users home directory.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`sysadm_dontaudit_search_home_dirs',`
gen_require(`
type sysadm_home_dir_t;
')
dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
')
########################################
## <summary>
## List the sysadm users home directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysadm_list_home_dirs',`
gen_require(`
type sysadm_home_dir_t;
')
allow $1 sysadm_home_dir_t:dir list_dir_perms;
')
########################################
## <summary>
## Do not audit attempts to list the sysadm
## users home directory.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`sysadm_dontaudit_list_home_dirs',`
gen_require(`
type sysadm_home_dir_t;
')
dontaudit $1 sysadm_home_dir_t:dir list_dir_perms;
')
########################################
## <summary>
## Create objects in sysadm home directories
## with automatic file type transition.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="private type">
## <summary>
## The type of the object to be created.
## </summary>
## </param>
## <param name="object_class">
## <summary>
## The class of the object to be created.
## If not specified, file is used.
## </summary>
## </param>
#
interface(`sysadm_home_dir_filetrans',`
gen_require(`
type sysadm_home_dir_t;
')
filetrans_pattern($1, sysadm_home_dir_t, $2, $3)
')
########################################
## <summary>
## Search the sysadm users home sub directories.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`sysadm_search_home_content_dirs',`
gen_require(`
type sysadm_home_dir_t, sysadm_home_t;
')
allow $1 { sysadm_home_dir_t sysadm_home_t }:dir search_dir_perms;
')
########################################
## <summary>
## Read files in the sysadm home directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysadm_read_home_content_files',`
gen_require(`
type sysadm_home_dir_t, sysadm_home_t;
')
files_search_home($1)
allow $1 { sysadm_home_dir_t sysadm_home_t }:dir list_dir_perms;
read_files_pattern($1, { sysadm_home_dir_t sysadm_home_t }, sysadm_home_t)
read_lnk_files_pattern($1, { sysadm_home_dir_t sysadm_home_t }, sysadm_home_t)
')
########################################
## <summary>
## Do not audit attempts to read files in the sysadm
## home directory.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`sysadm_dontaudit_read_home_content_files',`
gen_require(`
type sysadm_home_dir_t, sysadm_home_t;
')
dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
dontaudit $1 sysadm_home_t:dir search_dir_perms;
dontaudit $1 sysadm_home_t:file read_file_perms;
')
########################################
## <summary>
## Read sysadm temporary files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysadm_read_tmp_files',`
gen_require(`
type sysadm_tmp_t;
')
files_search_tmp($1)
allow $1 sysadm_tmp_t:dir list_dir_perms;
read_files_pattern($1, sysadm_tmp_t, sysadm_tmp_t)
read_lnk_files_pattern($1, sysadm_tmp_t, sysadm_tmp_t)
')