b6352a3de7
fifo_files inherited from domains allowed to change role to sysadm_r. This enables to do e.g. 'echo "..." | sudo -r sysadm_r command' from a staff_u:staff_r:staff_t context
249 lines
5.0 KiB
Plaintext
249 lines
5.0 KiB
Plaintext
## <summary>General system administration role</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
## Change to the system administrator role.
|
|
## </summary>
|
|
## <param name="role">
|
|
## <summary>
|
|
## Role allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`sysadm_role_change',`
|
|
gen_require(`
|
|
type sysadm_t;
|
|
role sysadm_r;
|
|
')
|
|
|
|
allow $1 sysadm_r;
|
|
|
|
tunable_policy(`sysadm_allow_rw_inherited_fifo', `
|
|
allow sysadm_t $2:fifo_file rw_inherited_fifo_file_perms;
|
|
')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Change from the system administrator role.
|
|
## </summary>
|
|
## <desc>
|
|
## <p>
|
|
## Change from the system administrator role to
|
|
## the specified role.
|
|
## </p>
|
|
## <p>
|
|
## This is an interface to support third party modules
|
|
## and its use is not allowed in upstream reference
|
|
## policy.
|
|
## </p>
|
|
## </desc>
|
|
## <param name="role">
|
|
## <summary>
|
|
## Role allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`sysadm_role_change_to',`
|
|
gen_require(`
|
|
role sysadm_r;
|
|
')
|
|
|
|
allow sysadm_r $1;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute a shell in the sysadm domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`sysadm_shell_domtrans',`
|
|
gen_require(`
|
|
type sysadm_t;
|
|
')
|
|
|
|
corecmd_shell_domtrans($1, sysadm_t)
|
|
allow sysadm_t $1:fd use;
|
|
allow sysadm_t $1:fifo_file rw_file_perms;
|
|
allow sysadm_t $1:process sigchld;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute a generic bin program in the sysadm domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`sysadm_bin_spec_domtrans',`
|
|
gen_require(`
|
|
type sysadm_t;
|
|
')
|
|
|
|
corecmd_bin_spec_domtrans($1, sysadm_t)
|
|
allow sysadm_t $1:fd use;
|
|
allow sysadm_t $1:fifo_file rw_file_perms;
|
|
allow sysadm_t $1:process sigchld;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute all entrypoint files in the sysadm domain. This
|
|
## is an explicit transition, requiring the
|
|
## caller to use setexeccon().
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`sysadm_entry_spec_domtrans',`
|
|
gen_require(`
|
|
type sysadm_t;
|
|
')
|
|
|
|
domain_entry_file_spec_domtrans($1, sysadm_t)
|
|
allow sysadm_t $1:fd use;
|
|
allow sysadm_t $1:fifo_file rw_file_perms;
|
|
allow sysadm_t $1:process sigchld;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow sysadm to execute all entrypoint files in
|
|
## a specified domain. This is an explicit transition,
|
|
## requiring the caller to use setexeccon().
|
|
## </summary>
|
|
## <desc>
|
|
## <p>
|
|
## Allow sysadm to execute all entrypoint files in
|
|
## a specified domain. This is an explicit transition,
|
|
## requiring the caller to use setexeccon().
|
|
## </p>
|
|
## <p>
|
|
## This is a interface to support third party modules
|
|
## and its use is not allowed in upstream reference
|
|
## policy.
|
|
## </p>
|
|
## </desc>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`sysadm_entry_spec_domtrans_to',`
|
|
gen_require(`
|
|
type sysadm_t;
|
|
')
|
|
|
|
domain_entry_file_spec_domtrans(sysadm_t, $1)
|
|
allow $1 sysadm_t:fd use;
|
|
allow $1 sysadm_t:fifo_file rw_file_perms;
|
|
allow $1 sysadm_t:process sigchld;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow sysadm to execute a generic bin program in
|
|
## a specified domain. This is an explicit transition,
|
|
## requiring the caller to use setexeccon().
|
|
## </summary>
|
|
## <desc>
|
|
## <p>
|
|
## Allow sysadm to execute a generic bin program in
|
|
## a specified domain.
|
|
## </p>
|
|
## <p>
|
|
## This is a interface to support third party modules
|
|
## and its use is not allowed in upstream reference
|
|
## policy.
|
|
## </p>
|
|
## </desc>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to execute in.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`sysadm_bin_spec_domtrans_to',`
|
|
gen_require(`
|
|
type sysadm_t;
|
|
')
|
|
|
|
corecmd_bin_spec_domtrans(sysadm_t, $1)
|
|
allow $1 sysadm_t:fd use;
|
|
allow $1 sysadm_t:fifo_file rw_file_perms;
|
|
allow $1 sysadm_t:process sigchld;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send a SIGCHLD signal to sysadm users.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`sysadm_sigchld',`
|
|
gen_require(`
|
|
type sysadm_t;
|
|
')
|
|
|
|
allow $1 sysadm_t:process sigchld;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Inherit and use sysadm file descriptors
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`sysadm_use_fds',`
|
|
gen_require(`
|
|
type sysadm_t;
|
|
')
|
|
|
|
allow $1 sysadm_t:fd use;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read and write sysadm user unnamed pipes.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`sysadm_rw_pipes',`
|
|
gen_require(`
|
|
type sysadm_t;
|
|
')
|
|
|
|
allow $1 sysadm_t:fifo_file rw_fifo_file_perms;
|
|
')
|