nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
8ef3a91347
selinux-refpolicy/policy/modules/roles/sysadm.if
Markus Linnala 9127219358 policy: interfaces: doc: indent param blocks consistently 
There is more than 5000 parameter documentations. Only about 300 are
differently done. Change them to be consistently indented.

param with one space
and content inside with one tab

This was done with:

sed -ri '
/^##[[:space:]]*<param/,/^##[[:space:]]*<[/]param>/{
	s/^##[[:space:]]*/##\t/;
	s/^##[[:space:]]*(<[/]?summary)/##\t\1/;
	s/^##[[:space:]]*(<[/]?param)/## \1/;
}' policy/modules/*/*.if

Signed-off-by: Markus Linnala <Markus.Linnala@cybercom.com>
2021-07-02 12:19:25 +03:00

249 lines
5.1 KiB
Plaintext
Raw Blame History

## <summary>General system administration role</summary>
########################################
## <summary>
## Change to the system administrator role.
## </summary>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`sysadm_role_change',`
gen_require(`
type sysadm_t;
role sysadm_r;
')
allow $1 sysadm_r;
tunable_policy(`sysadm_allow_rw_inherited_fifo', `
allow sysadm_t $2:fifo_file rw_inherited_fifo_file_perms;
')
')
########################################
## <summary>
## Change from the system administrator role.
## </summary>
## <desc>
## <p>
## Change from the system administrator role to
## the specified role.
## </p>
## <p>
## This is an interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
## </p>
## </desc>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`sysadm_role_change_to',`
gen_require(`
role sysadm_r;
')
allow sysadm_r $1;
')
########################################
## <summary>
## Execute a shell in the sysadm domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysadm_shell_domtrans',`
gen_require(`
type sysadm_t;
')
corecmd_shell_domtrans($1, sysadm_t)
allow sysadm_t $1:fd use;
allow sysadm_t $1:fifo_file rw_inherited_fifo_file_perms;
allow sysadm_t $1:process sigchld;
')
########################################
## <summary>
## Execute a generic bin program in the sysadm domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysadm_bin_spec_domtrans',`
gen_require(`
type sysadm_t;
')
corecmd_bin_spec_domtrans($1, sysadm_t)
allow sysadm_t $1:fd use;
allow sysadm_t $1:fifo_file rw_inherited_fifo_file_perms;
allow sysadm_t $1:process sigchld;
')
########################################
## <summary>
## Execute all entrypoint files in the sysadm domain. This
## is an explicit transition, requiring the
## caller to use setexeccon().
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysadm_entry_spec_domtrans',`
gen_require(`
type sysadm_t;
')
domain_entry_file_spec_domtrans($1, sysadm_t)
allow sysadm_t $1:fd use;
allow sysadm_t $1:fifo_file rw_inherited_fifo_file_perms;
allow sysadm_t $1:process sigchld;
')
########################################
## <summary>
## Allow sysadm to execute all entrypoint files in
## a specified domain. This is an explicit transition,
## requiring the caller to use setexeccon().
## </summary>
## <desc>
## <p>
## Allow sysadm to execute all entrypoint files in
## a specified domain. This is an explicit transition,
## requiring the caller to use setexeccon().
## </p>
## <p>
## This is a interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysadm_entry_spec_domtrans_to',`
gen_require(`
type sysadm_t;
')
domain_entry_file_spec_domtrans(sysadm_t, $1)
allow $1 sysadm_t:fd use;
allow $1 sysadm_t:fifo_file rw_inherited_fifo_file_perms;
allow $1 sysadm_t:process sigchld;
')
########################################
## <summary>
## Allow sysadm to execute a generic bin program in
## a specified domain. This is an explicit transition,
## requiring the caller to use setexeccon().
## </summary>
## <desc>
## <p>
## Allow sysadm to execute a generic bin program in
## a specified domain.
## </p>
## <p>
## This is a interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain to execute in.
## </summary>
## </param>
#
interface(`sysadm_bin_spec_domtrans_to',`
gen_require(`
type sysadm_t;
')
corecmd_bin_spec_domtrans(sysadm_t, $1)
allow $1 sysadm_t:fd use;
allow $1 sysadm_t:fifo_file rw_inherited_fifo_file_perms;
allow $1 sysadm_t:process sigchld;
')
########################################
## <summary>
## Send a SIGCHLD signal to sysadm users.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysadm_sigchld',`
gen_require(`
type sysadm_t;
')
allow $1 sysadm_t:process sigchld;
')
########################################
## <summary>
## Inherit and use sysadm file descriptors
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysadm_use_fds',`
gen_require(`
type sysadm_t;
')
allow $1 sysadm_t:fd use;
')
########################################
## <summary>
## Read and write sysadm user unnamed pipes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysadm_rw_pipes',`
gen_require(`
type sysadm_t;
')
allow $1 sysadm_t:fifo_file rw_fifo_file_perms;
')
Reference in New Issue View Git Blame Copy Permalink