policy_module(su, 1.12.0)

########################################
#
# Declarations
#

attribute su_domain_type;

type su_exec_t;
corecmd_executable_file(su_exec_t)

allow su_domain_type self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_read_search  fowner sys_nice sys_resource };
dontaudit su_domain_type self:capability sys_tty_config;
allow su_domain_type self:process { setexec setsched setrlimit };
allow su_domain_type self:fifo_file rw_fifo_file_perms;
allow su_domain_type self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
allow su_domain_type self:key { search write };

kernel_read_kernel_sysctls(su_domain_type)
kernel_search_key(su_domain_type)
kernel_link_key(su_domain_type)

# for SSP
dev_read_urand(su_domain_type)
dev_dontaudit_getattr_all(su_domain_type)

fs_search_auto_mountpoints(su_domain_type)

# needed for pam_rootok
selinux_compute_access_vector(su_domain_type)

corecmd_search_bin(su_domain_type)

domain_use_interactive_fds(su_domain_type)

files_read_etc_files(su_domain_type)
files_read_etc_runtime_files(su_domain_type)
files_search_var_lib(su_domain_type)
files_dontaudit_getattr_tmp_dirs(su_domain_type)

init_dontaudit_use_fds(su_domain_type)
# Write to utmp.
init_rw_utmp(su_domain_type)
init_read_state(su_domain_type)

userdom_use_user_terminals(su_domain_type)
userdom_search_user_home_dirs(su_domain_type)
userdom_search_admin_dir(su_domain_type)

ifdef(`distro_redhat',`
	# RHEL5 and possibly newer releases incl. Fedora
	auth_domtrans_upd_passwd(su_domain_type)

	optional_policy(`
		locallogin_search_keys(su_domain_type)
	')
')

tunable_policy(`polyinstantiation_enabled',`
	fs_mount_xattr_fs(su_domain_type)
	fs_unmount_xattr_fs(su_domain_type)
')

tunable_policy(`use_nfs_home_dirs',`
	fs_search_nfs(su_domain_type)
')

tunable_policy(`use_samba_home_dirs',`
	fs_search_cifs(su_domain_type)
')

optional_policy(`
	cron_read_pipes(su_domain_type)
')

optional_policy(`
    gpm_getattr_gpmctl(su_domain_type)
')

optional_policy(`
	kerberos_use(su_domain_type)
')

optional_policy(`
	# used when the password has expired
	usermanage_read_crack_db(su_domain_type)
')

# Modify .Xauthority file (via xauth program).
optional_policy(`
	xserver_user_home_dir_filetrans_user_xauth(su_domain_type)
	xserver_domtrans_xauth(su_domain_type)
')