Oreon-Lime-R2/selinux-policy/selinux-policy-d9f4a2b/selinux-policy-d9f4a2bbeb91fd95d0c35a90936efb9ea99d2455/policy/modules/roles/sysadm.if

255 lines
5.1 KiB
Text

## <summary>General system administration role</summary>
########################################
## <summary>
## Change to the system administrator role.
## </summary>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`sysadm_role_change',`
gen_require(`
role sysadm_r;
')
allow $1 sysadm_r;
')
########################################
## <summary>
## Change from the system administrator role.
## </summary>
## <desc>
## <p>
## Change from the system administrator role to
## the specified role.
## </p>
## <p>
## This is an interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
## </p>
## </desc>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`sysadm_role_change_to',`
gen_require(`
role sysadm_r;
')
allow sysadm_r $1;
')
########################################
## <summary>
## Execute a shell in the sysadm domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysadm_shell_domtrans',`
gen_require(`
type sysadm_t;
')
corecmd_shell_domtrans($1, sysadm_t)
allow sysadm_t $1:fd use;
allow sysadm_t $1:fifo_file rw_file_perms;
allow sysadm_t $1:process sigchld;
')
#######################################
## <summary>
## sysadm stub interface. No access allowed.
## </summary>
## <param name="domain" unused="true">
## <summary>
## Domain allowed access
## </summary>
## </param>
#
interface(`sysadm_stub',`
gen_require(`
type sysadm_t;
role sysadm_r;
')
')
########################################
## <summary>
## Execute a generic bin program in the sysadm domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysadm_bin_spec_domtrans',`
gen_require(`
type sysadm_t;
')
corecmd_bin_spec_domtrans($1, sysadm_t)
allow sysadm_t $1:fd use;
allow sysadm_t $1:fifo_file rw_file_perms;
allow sysadm_t $1:process sigchld;
')
########################################
## <summary>
## Execute all entrypoint files in the sysadm domain. This
## is an explicit transition, requiring the
## caller to use setexeccon().
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysadm_entry_spec_domtrans',`
gen_require(`
type sysadm_t;
')
domain_entry_file_spec_domtrans($1, sysadm_t)
allow sysadm_t $1:fd use;
allow sysadm_t $1:fifo_file rw_file_perms;
allow sysadm_t $1:process sigchld;
')
########################################
## <summary>
## Allow sysadm to execute all entrypoint files in
## a specified domain. This is an explicit transition,
## requiring the caller to use setexeccon().
## </summary>
## <desc>
## <p>
## Allow sysadm to execute all entrypoint files in
## a specified domain. This is an explicit transition,
## requiring the caller to use setexeccon().
## </p>
## <p>
## This is a interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysadm_entry_spec_domtrans_to',`
gen_require(`
type sysadm_t;
')
domain_entry_file_spec_domtrans(sysadm_t, $1)
allow $1 sysadm_t:fd use;
allow $1 sysadm_t:fifo_file rw_file_perms;
allow $1 sysadm_t:process sigchld;
')
########################################
## <summary>
## Allow sysadm to execute a generic bin program in
## a specified domain. This is an explicit transition,
## requiring the caller to use setexeccon().
## </summary>
## <desc>
## <p>
## Allow sysadm to execute a generic bin program in
## a specified domain.
## </p>
## <p>
## This is a interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain to execute in.
## </summary>
## </param>
#
interface(`sysadm_bin_spec_domtrans_to',`
gen_require(`
type sysadm_t;
')
corecmd_bin_spec_domtrans(sysadm_t, $1)
allow $1 sysadm_t:fd use;
allow $1 sysadm_t:fifo_file rw_file_perms;
allow $1 sysadm_t:process sigchld;
')
########################################
## <summary>
## Send a SIGCHLD signal to sysadm users.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysadm_sigchld',`
gen_require(`
type sysadm_t;
')
allow $1 sysadm_t:process sigchld;
')
########################################
## <summary>
## Inherit and use sysadm file descriptors
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysadm_use_fds',`
gen_require(`
type sysadm_t;
')
allow $1 sysadm_t:fd use;
')
########################################
## <summary>
## Read and write sysadm user unnamed pipes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysadm_rw_pipes',`
gen_require(`
type sysadm_t;
')
allow $1 sysadm_t:fifo_file rw_fifo_file_perms;
')