## General system administration role ######################################## ## ## Change to the system administrator role. ## ## ## ## Role allowed access. ## ## ## ## ## Domain allowed access. ## ## ## # interface(`sysadm_role_change',` gen_require(` type sysadm_t; role sysadm_r; ') allow $1 sysadm_r; tunable_policy(`sysadm_allow_rw_inherited_fifo', ` allow sysadm_t $2:fifo_file rw_inherited_fifo_file_perms; ') ') ######################################## ## ## Change from the system administrator role. ## ## ##

## Change from the system administrator role to ## the specified role. ##

##

## This is an interface to support third party modules ## and its use is not allowed in upstream reference ## policy. ##

##
## ## ## Role allowed access. ## ## ## # interface(`sysadm_role_change_to',` gen_require(` role sysadm_r; ') allow sysadm_r $1; ') ######################################## ## ## Execute a shell in the sysadm domain. ## ## ## ## Domain allowed access. ## ## # interface(`sysadm_shell_domtrans',` gen_require(` type sysadm_t; ') corecmd_shell_domtrans($1, sysadm_t) allow sysadm_t $1:fd use; allow sysadm_t $1:fifo_file rw_file_perms; allow sysadm_t $1:process sigchld; ') ######################################## ## ## Execute a generic bin program in the sysadm domain. ## ## ## ## Domain allowed access. ## ## # interface(`sysadm_bin_spec_domtrans',` gen_require(` type sysadm_t; ') corecmd_bin_spec_domtrans($1, sysadm_t) allow sysadm_t $1:fd use; allow sysadm_t $1:fifo_file rw_file_perms; allow sysadm_t $1:process sigchld; ') ######################################## ## ## Execute all entrypoint files in the sysadm domain. This ## is an explicit transition, requiring the ## caller to use setexeccon(). ## ## ## ## Domain allowed access. ## ## # interface(`sysadm_entry_spec_domtrans',` gen_require(` type sysadm_t; ') domain_entry_file_spec_domtrans($1, sysadm_t) allow sysadm_t $1:fd use; allow sysadm_t $1:fifo_file rw_file_perms; allow sysadm_t $1:process sigchld; ') ######################################## ## ## Allow sysadm to execute all entrypoint files in ## a specified domain. This is an explicit transition, ## requiring the caller to use setexeccon(). ## ## ##

## Allow sysadm to execute all entrypoint files in ## a specified domain. This is an explicit transition, ## requiring the caller to use setexeccon(). ##

##

## This is a interface to support third party modules ## and its use is not allowed in upstream reference ## policy. ##

##
## ## ## Domain allowed access. ## ## # interface(`sysadm_entry_spec_domtrans_to',` gen_require(` type sysadm_t; ') domain_entry_file_spec_domtrans(sysadm_t, $1) allow $1 sysadm_t:fd use; allow $1 sysadm_t:fifo_file rw_file_perms; allow $1 sysadm_t:process sigchld; ') ######################################## ## ## Allow sysadm to execute a generic bin program in ## a specified domain. This is an explicit transition, ## requiring the caller to use setexeccon(). ## ## ##

## Allow sysadm to execute a generic bin program in ## a specified domain. ##

##

## This is a interface to support third party modules ## and its use is not allowed in upstream reference ## policy. ##

##
## ## ## Domain to execute in. ## ## # interface(`sysadm_bin_spec_domtrans_to',` gen_require(` type sysadm_t; ') corecmd_bin_spec_domtrans(sysadm_t, $1) allow $1 sysadm_t:fd use; allow $1 sysadm_t:fifo_file rw_file_perms; allow $1 sysadm_t:process sigchld; ') ######################################## ## ## Send a SIGCHLD signal to sysadm users. ## ## ## ## Domain allowed access. ## ## # interface(`sysadm_sigchld',` gen_require(` type sysadm_t; ') allow $1 sysadm_t:process sigchld; ') ######################################## ## ## Inherit and use sysadm file descriptors ## ## ## ## Domain allowed access. ## ## # interface(`sysadm_use_fds',` gen_require(` type sysadm_t; ') allow $1 sysadm_t:fd use; ') ######################################## ## ## Read and write sysadm user unnamed pipes. ## ## ## ## Domain allowed access. ## ## # interface(`sysadm_rw_pipes',` gen_require(` type sysadm_t; ') allow $1 sysadm_t:fifo_file rw_fifo_file_perms; ')