Execute a command with a substitute user

####################################### ##

## The role template for the sudo module. ##

## ##

## This template creates a derived domain which is allowed ## to change the linux user id, to run commands as a different ## user. ##

## ## ##

## The prefix of the user role (e.g., user ## is the prefix for user_r). ##

## ## ##

## The user role. ##

## ## ##

## The user domain associated with the role. ##

## # template(`sudo_role_template',` gen_require(` type sudo_exec_t; type sudo_db_t; attribute sudodomain; ') ############################## # # Declarations # type $1_sudo_t, sudodomain; userdom_user_application_domain($1_sudo_t, sudo_exec_t) domain_interactive_fd($1_sudo_t) domain_role_change_exemption($1_sudo_t) role $2 types $1_sudo_t; userdom_home_manager($1_sudo_t) type $1_sudo_tmp_t; files_tmp_file($1_sudo_tmp_t) allow $1_sudo_t $1_sudo_tmp_t:file manage_file_perms; files_tmp_filetrans($1_sudo_t, $1_sudo_tmp_t, file) allow $1_sudo_t $3:dir search_dir_perms;; allow $1_sudo_t $3:file read_file_perms;; allow $1_sudo_t $3:key search; allow $1_sudo_t $1_t:unix_stream_socket { connectto read write }; # Enter this derived domain from the user domain domtrans_pattern($3, sudo_exec_t, $1_sudo_t) # By default, revert to the calling domain when a shell is executed. corecmd_shell_domtrans($1_sudo_t, $3) corecmd_bin_domtrans($1_sudo_t, $3) userdom_domtrans_user_home($1_sudo_t, $3) userdom_domtrans_user_tmp($1_sudo_t, $3) domain_entry_file($3, sudo_exec_t) domain_auto_transition_pattern($1_sudo_t, sudo_exec_t, $3) allow $3 $1_sudo_t:fd use; allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms; allow $3 $1_sudo_t:process signal_perms; kernel_read_system_state($1_sudo_t) seutil_libselinux_linked($1_sudo_t) auth_run_chk_passwd($1_sudo_t, $2) auth_use_nsswitch($1_sudo_t) logging_send_syslog_msg($1_sudo_t) logging_read_syslog_pid($1_sudo_t) term_use_generic_ptys($1_sudo_t) term_setattr_generic_ptys($1_sudo_t) optional_policy(` mta_role($2, $1_sudo_t) ') optional_policy(` rpm_run($1_sudo_t, $2) ') optional_policy(` kerberos_manage_host_rcache($1_sudo_t) kerberos_read_config($1_sudo_t) ') optional_policy(` systemd_domtrans_systemctl($1_sudo_t, $3) systemd_systemctl_entrypoint($3) ') optional_policy(` userdom_write_user_tmp_sockets($1_sudo_t) ') optional_policy(` usermanage_domtrans_passwd($1_sudo_t) ') ') ######################################## ##

## Send a SIGCHLD signal to the sudo domain. ##

## ##

## Domain allowed access. ##

## # interface(`sudo_sigchld',` gen_require(` attribute sudodomain; ') allow $1 sudodomain:process sigchld; ') ####################################### ##

## Allow execute sudo in called domain. ## This interfaces is added for nova-stack policy. ##

## ##

## Domain allowed access. ##

## # interface(`sudo_exec',` gen_require(` type sudo_exec_t; ') can_exec($1, sudo_exec_t) ') ###################################### ##

## Allow to manage sudo database in called domain. ##

## ##

## Domain allowed access. ##

## # interface(`sudo_manage_db',` gen_require(` type sudo_db_t; ') manage_dirs_pattern($1, sudo_db_t, sudo_db_t) manage_files_pattern($1, sudo_db_t, sudo_db_t) ') ######################################## ##

## Transition to sudo log named content ##

## ##

## Domain allowed access. ##

## # interface(`sudo_filetrans_named_content_log',` gen_require(` type sudo_log_t; ') logging_log_filetrans($1, sudo_log_t, file, "sudo.log") ')