Oreon-Lime-R2/selinux-policy/selinux-policy-d9f4a2b/selinux-policy-d9f4a2bbeb91fd95d0c35a90936efb9ea99d2455/policy/modules/admin/sudo.if

195 lines
4.1 KiB
Text
Raw Normal View History

## <summary>Execute a command with a substitute user</summary>
#######################################
## <summary>
## The role template for the sudo module.
## </summary>
## <desc>
## <p>
## This template creates a derived domain which is allowed
## to change the linux user id, to run commands as a different
## user.
## </p>
## </desc>
## <param name="role_prefix">
## <summary>
## The prefix of the user role (e.g., user
## is the prefix for user_r).
## </summary>
## </param>
## <param name="user_role">
## <summary>
## The user role.
## </summary>
## </param>
## <param name="user_domain">
## <summary>
## The user domain associated with the role.
## </summary>
## </param>
#
template(`sudo_role_template',`
gen_require(`
type sudo_exec_t;
type sudo_db_t;
attribute sudodomain;
')
##############################
#
# Declarations
#
type $1_sudo_t, sudodomain;
userdom_user_application_domain($1_sudo_t, sudo_exec_t)
domain_interactive_fd($1_sudo_t)
domain_role_change_exemption($1_sudo_t)
role $2 types $1_sudo_t;
userdom_home_manager($1_sudo_t)
type $1_sudo_tmp_t;
files_tmp_file($1_sudo_tmp_t)
allow $1_sudo_t $1_sudo_tmp_t:file manage_file_perms;
files_tmp_filetrans($1_sudo_t, $1_sudo_tmp_t, file)
allow $1_sudo_t $3:dir search_dir_perms;;
allow $1_sudo_t $3:file read_file_perms;;
allow $1_sudo_t $3:key search;
allow $1_sudo_t $1_t:unix_stream_socket { connectto read write };
# Enter this derived domain from the user domain
domtrans_pattern($3, sudo_exec_t, $1_sudo_t)
# By default, revert to the calling domain when a shell is executed.
corecmd_shell_domtrans($1_sudo_t, $3)
corecmd_bin_domtrans($1_sudo_t, $3)
userdom_domtrans_user_home($1_sudo_t, $3)
userdom_domtrans_user_tmp($1_sudo_t, $3)
domain_entry_file($3, sudo_exec_t)
domain_auto_transition_pattern($1_sudo_t, sudo_exec_t, $3)
allow $3 $1_sudo_t:fd use;
allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms;
allow $3 $1_sudo_t:process signal_perms;
kernel_read_system_state($1_sudo_t)
seutil_libselinux_linked($1_sudo_t)
auth_run_chk_passwd($1_sudo_t, $2)
auth_use_nsswitch($1_sudo_t)
logging_send_syslog_msg($1_sudo_t)
logging_read_syslog_pid($1_sudo_t)
term_use_generic_ptys($1_sudo_t)
term_setattr_generic_ptys($1_sudo_t)
optional_policy(`
mta_role($2, $1_sudo_t)
')
optional_policy(`
rpm_run($1_sudo_t, $2)
')
optional_policy(`
kerberos_manage_host_rcache($1_sudo_t)
kerberos_read_config($1_sudo_t)
')
optional_policy(`
netutils_domtrans($1_sudo_t)
netutils_run_traceroute($1_sudo_t, $2)
')
optional_policy(`
systemd_domtrans_systemctl($1_sudo_t, $3)
systemd_systemctl_entrypoint($3)
')
optional_policy(`
userdom_write_user_tmp_sockets($1_sudo_t)
')
optional_policy(`
usermanage_domtrans_passwd($1_sudo_t)
')
')
########################################
## <summary>
## Send a SIGCHLD signal to the sudo domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sudo_sigchld',`
gen_require(`
attribute sudodomain;
')
allow $1 sudodomain:process sigchld;
')
#######################################
## <summary>
## Allow execute sudo in called domain.
## This interfaces is added for nova-stack policy.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sudo_exec',`
gen_require(`
type sudo_exec_t;
')
can_exec($1, sudo_exec_t)
')
######################################
## <summary>
## Allow to manage sudo database in called domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sudo_manage_db',`
gen_require(`
type sudo_db_t;
')
manage_dirs_pattern($1, sudo_db_t, sudo_db_t)
manage_files_pattern($1, sudo_db_t, sudo_db_t)
')
########################################
## <summary>
## Transition to sudo log named content
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sudo_filetrans_named_content_log',`
gen_require(`
type sudo_log_t;
')
logging_log_filetrans($1, sudo_log_t, file, "sudo.log")
')