Oreon-Lime-R2/selinux-policy/selinux-policy-d9f4a2b/selinux-policy-d9f4a2bbeb91fd95d0c35a90936efb9ea99d2455/policy/modules/admin/su.te

95 lines
2.3 KiB
Text
Raw Normal View History

policy_module(su, 1.12.0)
########################################
#
# Declarations
#
attribute su_domain_type;
type su_exec_t;
corecmd_executable_file(su_exec_t)
allow su_domain_type self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_read_search fowner sys_nice sys_resource };
dontaudit su_domain_type self:capability sys_tty_config;
allow su_domain_type self:process { setexec setsched setrlimit };
allow su_domain_type self:fifo_file rw_fifo_file_perms;
allow su_domain_type self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
allow su_domain_type self:key { search write };
kernel_read_kernel_sysctls(su_domain_type)
kernel_search_key(su_domain_type)
kernel_link_key(su_domain_type)
# for SSP
dev_read_urand(su_domain_type)
dev_dontaudit_getattr_all(su_domain_type)
fs_search_auto_mountpoints(su_domain_type)
# needed for pam_rootok
selinux_compute_access_vector(su_domain_type)
corecmd_search_bin(su_domain_type)
domain_use_interactive_fds(su_domain_type)
files_read_etc_files(su_domain_type)
files_read_etc_runtime_files(su_domain_type)
files_search_var_lib(su_domain_type)
files_dontaudit_getattr_tmp_dirs(su_domain_type)
init_dontaudit_use_fds(su_domain_type)
# Write to utmp.
init_rw_utmp(su_domain_type)
init_read_state(su_domain_type)
userdom_use_user_terminals(su_domain_type)
userdom_search_user_home_dirs(su_domain_type)
userdom_search_admin_dir(su_domain_type)
ifdef(`distro_redhat',`
# RHEL5 and possibly newer releases incl. Fedora
auth_domtrans_upd_passwd(su_domain_type)
optional_policy(`
locallogin_search_keys(su_domain_type)
')
')
tunable_policy(`polyinstantiation_enabled',`
fs_mount_xattr_fs(su_domain_type)
fs_unmount_xattr_fs(su_domain_type)
')
tunable_policy(`use_nfs_home_dirs',`
fs_search_nfs(su_domain_type)
')
tunable_policy(`use_samba_home_dirs',`
fs_search_cifs(su_domain_type)
')
optional_policy(`
cron_read_pipes(su_domain_type)
')
optional_policy(`
gpm_getattr_gpmctl(su_domain_type)
')
optional_policy(`
kerberos_use(su_domain_type)
')
optional_policy(`
# used when the password has expired
usermanage_read_crack_db(su_domain_type)
')
# Modify .Xauthority file (via xauth program).
optional_policy(`
xserver_user_home_dir_filetrans_user_xauth(su_domain_type)
xserver_domtrans_xauth(su_domain_type)
')