## Execute a command with a substitute user ####################################### ## ## The role template for the sudo module. ## ## ##

## This template creates a derived domain which is allowed ## to change the linux user id, to run commands as a different ## user. ##

##
## ## ## The prefix of the user role (e.g., user ## is the prefix for user_r). ## ## ## ## ## The user role. ## ## ## ## ## The user domain associated with the role. ## ## # template(`sudo_role_template',` gen_require(` type sudo_exec_t; type sudo_db_t; attribute sudodomain; ') ############################## # # Declarations # type $1_sudo_t, sudodomain; userdom_user_application_domain($1_sudo_t, sudo_exec_t) domain_interactive_fd($1_sudo_t) domain_role_change_exemption($1_sudo_t) role $2 types $1_sudo_t; userdom_home_manager($1_sudo_t) type $1_sudo_tmp_t; files_tmp_file($1_sudo_tmp_t) allow $1_sudo_t $1_sudo_tmp_t:file manage_file_perms; files_tmp_filetrans($1_sudo_t, $1_sudo_tmp_t, file) allow $1_sudo_t $3:dir search_dir_perms;; allow $1_sudo_t $3:file read_file_perms;; allow $1_sudo_t $3:key search; allow $1_sudo_t $1_t:unix_stream_socket { connectto read write }; # Enter this derived domain from the user domain domtrans_pattern($3, sudo_exec_t, $1_sudo_t) # By default, revert to the calling domain when a shell is executed. corecmd_shell_domtrans($1_sudo_t, $3) corecmd_bin_domtrans($1_sudo_t, $3) userdom_domtrans_user_home($1_sudo_t, $3) userdom_domtrans_user_tmp($1_sudo_t, $3) domain_entry_file($3, sudo_exec_t) domain_auto_transition_pattern($1_sudo_t, sudo_exec_t, $3) allow $3 $1_sudo_t:fd use; allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms; allow $3 $1_sudo_t:process signal_perms; kernel_read_system_state($1_sudo_t) seutil_libselinux_linked($1_sudo_t) auth_run_chk_passwd($1_sudo_t, $2) auth_use_nsswitch($1_sudo_t) logging_send_syslog_msg($1_sudo_t) logging_read_syslog_pid($1_sudo_t) term_use_generic_ptys($1_sudo_t) term_setattr_generic_ptys($1_sudo_t) optional_policy(` mta_role($2, $1_sudo_t) ') optional_policy(` rpm_run($1_sudo_t, $2) ') optional_policy(` kerberos_manage_host_rcache($1_sudo_t) kerberos_read_config($1_sudo_t) ') optional_policy(` netutils_domtrans($1_sudo_t) netutils_run_traceroute($1_sudo_t, $2) ') optional_policy(` systemd_domtrans_systemctl($1_sudo_t, $3) systemd_systemctl_entrypoint($3) ') optional_policy(` userdom_write_user_tmp_sockets($1_sudo_t) ') optional_policy(` usermanage_domtrans_passwd($1_sudo_t) ') ') ######################################## ## ## Send a SIGCHLD signal to the sudo domain. ## ## ## ## Domain allowed access. ## ## # interface(`sudo_sigchld',` gen_require(` attribute sudodomain; ') allow $1 sudodomain:process sigchld; ') ####################################### ## ## Allow execute sudo in called domain. ## This interfaces is added for nova-stack policy. ## ## ## ## Domain allowed access. ## ## # interface(`sudo_exec',` gen_require(` type sudo_exec_t; ') can_exec($1, sudo_exec_t) ') ###################################### ## ## Allow to manage sudo database in called domain. ## ## ## ## Domain allowed access. ## ## # interface(`sudo_manage_db',` gen_require(` type sudo_db_t; ') manage_dirs_pattern($1, sudo_db_t, sudo_db_t) manage_files_pattern($1, sudo_db_t, sudo_db_t) ') ######################################## ## ## Transition to sudo log named content ## ## ## ## Domain allowed access. ## ## # interface(`sudo_filetrans_named_content_log',` gen_require(` type sudo_log_t; ') logging_log_filetrans($1, sudo_log_t, file, "sudo.log") ')