---
policy/modules/roles/sysadm.te | 1 +
policy/modules/system/iptables.if | 39 +++++++++++++++++++++++++++++++++++++++
2 files changed, 40 insertions(+)
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 8219dea..f9919fd 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -178,6 +178,7 @@ optional_policy(`
')
optional_policy(`
+ iptables_admin(sysadm_t, sysadm_r)
iptables_run(sysadm_t, sysadm_r)
')
diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
index c42fbc3..26ce647 100644
--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@@ -163,3 +163,42 @@ interface(`iptables_manage_config',`
files_search_etc($1)
manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
')
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate an iptables
+## environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`iptables_admin',`
+ gen_require(`
+ type iptables_t, iptables_initrc_exec_t, iptables_conf_t;
+ type iptables_tmp_t, iptables_var_run_t;
+ ')
+
+ allow $1 iptables_t:process { ptrace signal_perms };
+ ps_process_pattern($1, iptables_t)
+
+ init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t)
+
+ files_list_etc($1)
+ admin_pattern($1, iptables_conf_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, iptables_tmp_t)
+
+ files_list_pids($1)
+ admin_pattern($1, iptables_var_run_t)
+')
--
2.3.6
Lots of the foo_admin() interfaces were not applied to sysadm. This
patch adds all the ones that were missing.
The tests pass for all combinations of distros, monolithic,
direct_initrc, standard/mcs/mls.
---
policy/modules/roles/sysadm.te | 788 ++++++++++++++++++++++++++++++++++++++++-
1 file changed, 784 insertions(+), 4 deletions(-)
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index f9919fd..5a95779 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -66,10 +66,47 @@ tunable_policy(`allow_ptrace',`
')
optional_policy(`
+ abrt_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ accountsd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ acct_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ afs_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ aiccu_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ aide_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ aisexecd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
amanda_run_recover(sysadm_t, sysadm_r)
')
optional_policy(`
+ amavis_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ amtu_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ apache_admin(sysadm_t, sysadm_r)
apache_run_helper(sysadm_t, sysadm_r)
#apache_run_all_scripts(sysadm_t, sysadm_r)
#apache_domtrans_sys_script(sysadm_t)
@@ -77,8 +114,12 @@ optional_policy(`
')
optional_policy(`
- # cjp: why is this not apm_run_client
- apm_domtrans_client(sysadm_t)
+ apcupsd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ apm_admin(sysadm_t, sysadm_r)
+ apm_run_client(sysadm_t, sysadm_r)
')
optional_policy(`
@@ -86,6 +127,11 @@ optional_policy(`
')
optional_policy(`
+ arpwatch_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ asterisk_admin(sysadm_t, sysadm_r)
asterisk_stream_connect(sysadm_t)
')
@@ -94,26 +140,104 @@ optional_policy(`
')
optional_policy(`
+ automount_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ avahi_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
backup_run(sysadm_t, sysadm_r)
')
optional_policy(`
bacula_run_admin(sysadm_t, sysadm_r)
+ bacula_admin(sysadm_t, sysadm_r)
')
optional_policy(`
+ bcfg2_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ bind_admin(sysadm_t, sysadm_r)
bind_run_ndc(sysadm_t, sysadm_r)
')
optional_policy(`
+ bird_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ bitlbee_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ boinc_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
bootloader_run(sysadm_t, sysadm_r)
')
optional_policy(`
+ bugzilla_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ cachefilesd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ calamaris_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ callweaver_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ canna_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ ccs_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ certmaster_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ certmonger_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
certwatch_run(sysadm_t, sysadm_r)
')
optional_policy(`
+ cfengine_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ cgroup_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ chronyd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ cipe_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ clamav_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
clock_run(sysadm_t, sysadm_r)
')
@@ -122,24 +246,101 @@ optional_policy(`
')
optional_policy(`
+ cmirrord_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ cobbler_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ collectd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ condor_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
consoletype_run(sysadm_t, sysadm_r)
')
optional_policy(`
+ corosync_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ couchdb_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ ctdb_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ cups_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ cvs_admin(sysadm_t, sysadm_r)
cvs_exec(sysadm_t)
')
optional_policy(`
+ cyphesis_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ cyrus_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ dante_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
dcc_run_cdcc(sysadm_t, sysadm_r)
dcc_run_client(sysadm_t, sysadm_r)
dcc_run_dbclean(sysadm_t, sysadm_r)
')
optional_policy(`
+ ddclient_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
ddcprobe_run(sysadm_t, sysadm_r)
')
optional_policy(`
+ denyhosts_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ devicekit_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ dhcpd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ dictd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ dirmngr_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ distcc_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ dkim_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
dmesg_exec(sysadm_t)
')
@@ -148,10 +349,54 @@ optional_policy(`
')
optional_policy(`
+ dnsmasq_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ dnssectrigger_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ dovecot_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
dpkg_run(sysadm_t, sysadm_r)
')
optional_policy(`
+ drbd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ dspam_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ entropyd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ exim_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ fail2ban_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ fcoe_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ fetchmail_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ firewalld_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
firstboot_run(sysadm_t, sysadm_r)
')
@@ -160,7 +405,31 @@ optional_policy(`
')
optional_policy(`
- hostname_run(sysadm_t, sysadm_r)
+ ftp_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ gatekeeper_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ gdomap_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ glance_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ glusterfs_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ gpm_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ gpsd_admin(sysadm_t, sysadm_r)
')
optional_policy(`
@@ -168,6 +437,42 @@ optional_policy(`
')
optional_policy(`
+ hddtemp_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ hostname_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ howl_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ hypervkvp_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ i18n_input_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ icecast_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ ifplugd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ inn_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ iodine_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
# allow system administrator to use the ipsec script to look
# at things (e.g., ipsec auto --status)
# probably should create an ipsec_admin role for this kind of thing
@@ -183,14 +488,79 @@ optional_policy(`
')
optional_policy(`
+ irqbalance_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ iscsi_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ isnsd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ jabber_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ kdump_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ kerberos_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ kerneloops_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ keystone_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ kismet_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ ksmtuned_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ kudzu_admin(sysadm_t, sysadm_r)
kudzu_run(sysadm_t, sysadm_r)
')
optional_policy(`
+ l2tp_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ ldap_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
libs_run_ldconfig(sysadm_t, sysadm_r)
')
optional_policy(`
+ lightsquid_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ likewise_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ lircd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ lldpad_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
lockdev_role(sysadm_r, sysadm_t)
')
@@ -204,16 +574,48 @@ optional_policy(`
')
optional_policy(`
+ lsmd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
lvm_run(sysadm_t, sysadm_r)
')
optional_policy(`
+ mandb_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ mcelog_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ memcached_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ minidlna_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ minissdpd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
modutils_run_depmod(sysadm_t, sysadm_r)
modutils_run_insmod(sysadm_t, sysadm_r)
modutils_run_update_mods(sysadm_t, sysadm_r)
')
optional_policy(`
+ mongodb_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ monop_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
mount_run(sysadm_t, sysadm_r)
')
@@ -222,10 +624,22 @@ optional_policy(`
')
optional_policy(`
+ mpd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
mplayer_role(sysadm_r, sysadm_t)
')
optional_policy(`
+ mrtg_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ mscan_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
mta_role(sysadm_r, sysadm_t)
')
@@ -234,29 +648,122 @@ optional_policy(`
')
optional_policy(`
+ mysql_admin(sysadm_t, sysadm_r)
mysql_stream_connect(sysadm_t)
')
optional_policy(`
+ nagios_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ nessus_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
netutils_run(sysadm_t, sysadm_r)
netutils_run_ping(sysadm_t, sysadm_r)
netutils_run_traceroute(sysadm_t, sysadm_r)
')
optional_policy(`
- ntp_stub()
+ networkmanager_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ nis_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ nscd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ nslcd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ ntop_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ ntp_admin(sysadm_t, sysadm_r)
corenet_udp_bind_ntp_port(sysadm_t)
')
optional_policy(`
+ numad_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ nut_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
oav_run_update(sysadm_t, sysadm_r)
')
optional_policy(`
+ oident_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ openct_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ openhpi_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ openvpn_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ openvswitch_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ pacemaker_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ pads_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
pcmcia_run_cardctl(sysadm_t, sysadm_r)
')
optional_policy(`
+ pcscd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ pegasus_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ perdition_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ pingd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ pkcs_admin_slotd(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ plymouthd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ polipo_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
portage_run(sysadm_t, sysadm_r)
portage_run_fetch(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
@@ -264,18 +771,86 @@ optional_policy(`
optional_policy(`
portmap_run_helper(sysadm_t, sysadm_r)
+ portmap_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ portreserve_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ postfix_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ postfixpolicyd_admin(sysadm_t, sysadm_r)
')
optional_policy(`
+ postgrey_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ ppp_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ prelude_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ privoxy_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ psad_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ puppet_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ pxe_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ pyicqt_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ pyzor_admin(sysadm_t, sysadm_r)
pyzor_role(sysadm_r, sysadm_t)
')
optional_policy(`
+ qpidd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ quantum_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
quota_run(sysadm_t, sysadm_r)
+ quota_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ rabbitmq_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ radius_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ radvd_admin(sysadm_t, sysadm_r)
')
optional_policy(`
raid_run_mdadm(sysadm_r, sysadm_t)
+ raid_admin_mdadm(sysadm_t, sysadm_r)
')
optional_policy(`
@@ -283,11 +858,49 @@ optional_policy(`
')
optional_policy(`
+ redis_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ resmgr_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ rgmanager_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ rhcs_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ rhsmcertd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ ricci_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ rngd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ roundup_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ rpc_admin(sysadm_t, sysadm_r)
rpc_domtrans_nfsd(sysadm_t)
')
optional_policy(`
+ rpcbind_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
rpm_run(sysadm_t, sysadm_r)
+ rpm_admin(sysadm_t, sysadm_r)
')
optional_policy(`
@@ -295,10 +908,22 @@ optional_policy(`
')
optional_policy(`
+ rsync_admin(sysadm_t, sysadm_r)
rsync_exec(sysadm_t)
')
optional_policy(`
+ rtkit_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ rwho_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ samba_admin(sysadm_t, sysadm_r)
+ samba_run_smbcontrol(sysadm_t, sysadm_r)
+ samba_run_smbmount(sysadm_t, sysadm_r)
samba_run_net(sysadm_t, sysadm_r)
samba_run_winbind_helper(sysadm_t, sysadm_r)
')
@@ -308,6 +933,18 @@ optional_policy(`
')
optional_policy(`
+ sanlock_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ sasl_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ sblim_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
screen_role_template(sysadm, sysadm_r, sysadm_t)
')
@@ -316,11 +953,52 @@ optional_policy(`
')
optional_policy(`
+ sensord_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ setroubleshoot_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
seutil_run_setfiles(sysadm_t, sysadm_r)
seutil_run_runinit(sysadm_t, sysadm_r)
')
optional_policy(`
+ shorewall_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ slpd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ smartmon_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ smokeping_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ smstools_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ snmp_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ snort_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ soundserver_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ spamassassin_admin(sysadm_t, sysadm_r)
spamassassin_role(sysadm_r, sysadm_t)
')
@@ -329,10 +1007,18 @@ optional_policy(`
')
optional_policy(`
+ sssd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
staff_role_change(sysadm_r)
')
optional_policy(`
+ stapserver_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
su_role_template(sysadm, sysadm_r, sysadm_t)
')
@@ -341,15 +1027,43 @@ optional_policy(`
')
optional_policy(`
+ svnserve_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
sysnet_run_ifconfig(sysadm_t, sysadm_r)
sysnet_run_dhcpc(sysadm_t, sysadm_r)
')
optional_policy(`
+ sysstat_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ tcsd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ tftp_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ tgtd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
thunderbird_role(sysadm_r, sysadm_t)
')
optional_policy(`
+ tor_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ transproxy_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
tripwire_run_siggen(sysadm_t, sysadm_r)
tripwire_run_tripwire(sysadm_t, sysadm_r)
tripwire_run_twadmin(sysadm_t, sysadm_r)
@@ -365,6 +1079,10 @@ optional_policy(`
')
optional_policy(`
+ ulogd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
uml_role(sysadm_r, sysadm_t)
')
@@ -377,6 +1095,10 @@ optional_policy(`
')
optional_policy(`
+ uptime_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
usbmodules_run(sysadm_t, sysadm_r)
')
@@ -391,6 +1113,31 @@ optional_policy(`
')
optional_policy(`
+ uucp_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ uuidd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ varnishd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ varnishd_admin_varnishlog(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ vdagent_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ vhostmd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ virt_admin(sysadm_t, sysadm_r)
virt_stream_connect(sysadm_t)
')
@@ -399,10 +1146,22 @@ optional_policy(`
')
optional_policy(`
+ vnstatd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
vpn_run(sysadm_t, sysadm_r)
')
optional_policy(`
+ watchdog_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ wdmd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
webalizer_run(sysadm_t, sysadm_r)
')
@@ -419,15 +1178,32 @@ optional_policy(`
')
optional_policy(`
+ xfs_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
yam_run(sysadm_t, sysadm_r)
')
+optional_policy(`
+ zabbix_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ zarafa_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ zebra_admin(sysadm_t, sysadm_r)
+')
+
ifndef(`distro_redhat',`
optional_policy(`
auth_role(sysadm_r, sysadm_t)
')
optional_policy(`
+ bluetooth_admin(sysadm_t, sysadm_r)
bluetooth_role(sysadm_r, sysadm_t)
')
@@ -468,6 +1244,10 @@ ifndef(`distro_redhat',`
')
optional_policy(`
+ ircd_admin(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
java_role(sysadm_r, sysadm_t)
')
')
--
2.3.6
On 6/8/2015 4:38 PM, Jason Zaman wrote:
> Lots of the foo_admin() interfaces were not applied to sysadm. This
> patch adds all the ones that were missing.
>
> The tests pass for all combinations of distros, monolithic,
> direct_initrc, standard/mcs/mls.
Merged.
> ---
> policy/modules/roles/sysadm.te | 788 ++++++++++++++++++++++++++++++++++++++++-
> 1 file changed, 784 insertions(+), 4 deletions(-)
>
> diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> index f9919fd..5a95779 100644
> --- a/policy/modules/roles/sysadm.te
> +++ b/policy/modules/roles/sysadm.te
> @@ -66,10 +66,47 @@ tunable_policy(`allow_ptrace',`
> ')
>
> optional_policy(`
> + abrt_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + accountsd_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + acct_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + afs_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + aiccu_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + aide_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + aisexecd_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> amanda_run_recover(sysadm_t, sysadm_r)
> ')
>
> optional_policy(`
> + amavis_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + amtu_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + apache_admin(sysadm_t, sysadm_r)
> apache_run_helper(sysadm_t, sysadm_r)
> #apache_run_all_scripts(sysadm_t, sysadm_r)
> #apache_domtrans_sys_script(sysadm_t)
> @@ -77,8 +114,12 @@ optional_policy(`
> ')
>
> optional_policy(`
> - # cjp: why is this not apm_run_client
> - apm_domtrans_client(sysadm_t)
> + apcupsd_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + apm_admin(sysadm_t, sysadm_r)
> + apm_run_client(sysadm_t, sysadm_r)
> ')
>
> optional_policy(`
> @@ -86,6 +127,11 @@ optional_policy(`
> ')
>
> optional_policy(`
> + arpwatch_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + asterisk_admin(sysadm_t, sysadm_r)
> asterisk_stream_connect(sysadm_t)
> ')
>
> @@ -94,26 +140,104 @@ optional_policy(`
> ')
>
> optional_policy(`
> + automount_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + avahi_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> backup_run(sysadm_t, sysadm_r)
> ')
>
> optional_policy(`
> bacula_run_admin(sysadm_t, sysadm_r)
> + bacula_admin(sysadm_t, sysadm_r)
> ')
>
> optional_policy(`
> + bcfg2_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + bind_admin(sysadm_t, sysadm_r)
> bind_run_ndc(sysadm_t, sysadm_r)
> ')
>
> optional_policy(`
> + bird_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + bitlbee_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + boinc_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> bootloader_run(sysadm_t, sysadm_r)
> ')
>
> optional_policy(`
> + bugzilla_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + cachefilesd_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + calamaris_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + callweaver_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + canna_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + ccs_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + certmaster_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + certmonger_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> certwatch_run(sysadm_t, sysadm_r)
> ')
>
> optional_policy(`
> + cfengine_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + cgroup_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + chronyd_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + cipe_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + clamav_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> clock_run(sysadm_t, sysadm_r)
> ')
>
> @@ -122,24 +246,101 @@ optional_policy(`
> ')
>
> optional_policy(`
> + cmirrord_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + cobbler_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + collectd_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + condor_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> consoletype_run(sysadm_t, sysadm_r)
> ')
>
> optional_policy(`
> + corosync_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + couchdb_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + ctdb_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + cups_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + cvs_admin(sysadm_t, sysadm_r)
> cvs_exec(sysadm_t)
> ')
>
> optional_policy(`
> + cyphesis_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + cyrus_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + dante_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> dcc_run_cdcc(sysadm_t, sysadm_r)
> dcc_run_client(sysadm_t, sysadm_r)
> dcc_run_dbclean(sysadm_t, sysadm_r)
> ')
>
> optional_policy(`
> + ddclient_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> ddcprobe_run(sysadm_t, sysadm_r)
> ')
>
> optional_policy(`
> + denyhosts_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + devicekit_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + dhcpd_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + dictd_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + dirmngr_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + distcc_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + dkim_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> dmesg_exec(sysadm_t)
> ')
>
> @@ -148,10 +349,54 @@ optional_policy(`
> ')
>
> optional_policy(`
> + dnsmasq_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + dnssectrigger_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + dovecot_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> dpkg_run(sysadm_t, sysadm_r)
> ')
>
> optional_policy(`
> + drbd_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + dspam_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + entropyd_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + exim_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + fail2ban_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + fcoe_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + fetchmail_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + firewalld_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> firstboot_run(sysadm_t, sysadm_r)
> ')
>
> @@ -160,7 +405,31 @@ optional_policy(`
> ')
>
> optional_policy(`
> - hostname_run(sysadm_t, sysadm_r)
> + ftp_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + gatekeeper_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + gdomap_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + glance_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + glusterfs_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + gpm_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + gpsd_admin(sysadm_t, sysadm_r)
> ')
>
> optional_policy(`
> @@ -168,6 +437,42 @@ optional_policy(`
> ')
>
> optional_policy(`
> + hddtemp_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + hostname_run(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + howl_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + hypervkvp_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + i18n_input_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + icecast_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + ifplugd_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + inn_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + iodine_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> # allow system administrator to use the ipsec script to look
> # at things (e.g., ipsec auto --status)
> # probably should create an ipsec_admin role for this kind of thing
> @@ -183,14 +488,79 @@ optional_policy(`
> ')
>
> optional_policy(`
> + irqbalance_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + iscsi_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + isnsd_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + jabber_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + kdump_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + kerberos_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + kerneloops_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + keystone_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + kismet_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + ksmtuned_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + kudzu_admin(sysadm_t, sysadm_r)
> kudzu_run(sysadm_t, sysadm_r)
> ')
>
> optional_policy(`
> + l2tp_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + ldap_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> libs_run_ldconfig(sysadm_t, sysadm_r)
> ')
>
> optional_policy(`
> + lightsquid_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + likewise_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + lircd_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + lldpad_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> lockdev_role(sysadm_r, sysadm_t)
> ')
>
> @@ -204,16 +574,48 @@ optional_policy(`
> ')
>
> optional_policy(`
> + lsmd_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> lvm_run(sysadm_t, sysadm_r)
> ')
>
> optional_policy(`
> + mandb_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + mcelog_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + memcached_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + minidlna_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + minissdpd_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> modutils_run_depmod(sysadm_t, sysadm_r)
> modutils_run_insmod(sysadm_t, sysadm_r)
> modutils_run_update_mods(sysadm_t, sysadm_r)
> ')
>
> optional_policy(`
> + mongodb_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + monop_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> mount_run(sysadm_t, sysadm_r)
> ')
>
> @@ -222,10 +624,22 @@ optional_policy(`
> ')
>
> optional_policy(`
> + mpd_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> mplayer_role(sysadm_r, sysadm_t)
> ')
>
> optional_policy(`
> + mrtg_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + mscan_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> mta_role(sysadm_r, sysadm_t)
> ')
>
> @@ -234,29 +648,122 @@ optional_policy(`
> ')
>
> optional_policy(`
> + mysql_admin(sysadm_t, sysadm_r)
> mysql_stream_connect(sysadm_t)
> ')
>
> optional_policy(`
> + nagios_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + nessus_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> netutils_run(sysadm_t, sysadm_r)
> netutils_run_ping(sysadm_t, sysadm_r)
> netutils_run_traceroute(sysadm_t, sysadm_r)
> ')
>
> optional_policy(`
> - ntp_stub()
> + networkmanager_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + nis_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + nscd_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + nslcd_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + ntop_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + ntp_admin(sysadm_t, sysadm_r)
> corenet_udp_bind_ntp_port(sysadm_t)
> ')
>
> optional_policy(`
> + numad_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + nut_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> oav_run_update(sysadm_t, sysadm_r)
> ')
>
> optional_policy(`
> + oident_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + openct_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + openhpi_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + openvpn_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + openvswitch_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + pacemaker_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + pads_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> pcmcia_run_cardctl(sysadm_t, sysadm_r)
> ')
>
> optional_policy(`
> + pcscd_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + pegasus_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + perdition_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + pingd_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + pkcs_admin_slotd(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + plymouthd_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + polipo_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> portage_run(sysadm_t, sysadm_r)
> portage_run_fetch(sysadm_t, sysadm_r)
> portage_run_gcc_config(sysadm_t, sysadm_r)
> @@ -264,18 +771,86 @@ optional_policy(`
>
> optional_policy(`
> portmap_run_helper(sysadm_t, sysadm_r)
> + portmap_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + portreserve_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + postfix_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + postfixpolicyd_admin(sysadm_t, sysadm_r)
> ')
>
> optional_policy(`
> + postgrey_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + ppp_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + prelude_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + privoxy_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + psad_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + puppet_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + pxe_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + pyicqt_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + pyzor_admin(sysadm_t, sysadm_r)
> pyzor_role(sysadm_r, sysadm_t)
> ')
>
> optional_policy(`
> + qpidd_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + quantum_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> quota_run(sysadm_t, sysadm_r)
> + quota_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + rabbitmq_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + radius_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + radvd_admin(sysadm_t, sysadm_r)
> ')
>
> optional_policy(`
> raid_run_mdadm(sysadm_r, sysadm_t)
> + raid_admin_mdadm(sysadm_t, sysadm_r)
> ')
>
> optional_policy(`
> @@ -283,11 +858,49 @@ optional_policy(`
> ')
>
> optional_policy(`
> + redis_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + resmgr_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + rgmanager_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + rhcs_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + rhsmcertd_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + ricci_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + rngd_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + roundup_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + rpc_admin(sysadm_t, sysadm_r)
> rpc_domtrans_nfsd(sysadm_t)
> ')
>
> optional_policy(`
> + rpcbind_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> rpm_run(sysadm_t, sysadm_r)
> + rpm_admin(sysadm_t, sysadm_r)
> ')
>
> optional_policy(`
> @@ -295,10 +908,22 @@ optional_policy(`
> ')
>
> optional_policy(`
> + rsync_admin(sysadm_t, sysadm_r)
> rsync_exec(sysadm_t)
> ')
>
> optional_policy(`
> + rtkit_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + rwho_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + samba_admin(sysadm_t, sysadm_r)
> + samba_run_smbcontrol(sysadm_t, sysadm_r)
> + samba_run_smbmount(sysadm_t, sysadm_r)
> samba_run_net(sysadm_t, sysadm_r)
> samba_run_winbind_helper(sysadm_t, sysadm_r)
> ')
> @@ -308,6 +933,18 @@ optional_policy(`
> ')
>
> optional_policy(`
> + sanlock_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + sasl_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + sblim_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> screen_role_template(sysadm, sysadm_r, sysadm_t)
> ')
>
> @@ -316,11 +953,52 @@ optional_policy(`
> ')
>
> optional_policy(`
> + sensord_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + setroubleshoot_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> seutil_run_setfiles(sysadm_t, sysadm_r)
> seutil_run_runinit(sysadm_t, sysadm_r)
> ')
>
> optional_policy(`
> + shorewall_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + slpd_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + smartmon_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + smokeping_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + smstools_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + snmp_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + snort_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + soundserver_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + spamassassin_admin(sysadm_t, sysadm_r)
> spamassassin_role(sysadm_r, sysadm_t)
> ')
>
> @@ -329,10 +1007,18 @@ optional_policy(`
> ')
>
> optional_policy(`
> + sssd_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> staff_role_change(sysadm_r)
> ')
>
> optional_policy(`
> + stapserver_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> su_role_template(sysadm, sysadm_r, sysadm_t)
> ')
>
> @@ -341,15 +1027,43 @@ optional_policy(`
> ')
>
> optional_policy(`
> + svnserve_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> sysnet_run_ifconfig(sysadm_t, sysadm_r)
> sysnet_run_dhcpc(sysadm_t, sysadm_r)
> ')
>
> optional_policy(`
> + sysstat_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + tcsd_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + tftp_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + tgtd_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> thunderbird_role(sysadm_r, sysadm_t)
> ')
>
> optional_policy(`
> + tor_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + transproxy_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> tripwire_run_siggen(sysadm_t, sysadm_r)
> tripwire_run_tripwire(sysadm_t, sysadm_r)
> tripwire_run_twadmin(sysadm_t, sysadm_r)
> @@ -365,6 +1079,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + ulogd_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> uml_role(sysadm_r, sysadm_t)
> ')
>
> @@ -377,6 +1095,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + uptime_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> usbmodules_run(sysadm_t, sysadm_r)
> ')
>
> @@ -391,6 +1113,31 @@ optional_policy(`
> ')
>
> optional_policy(`
> + uucp_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + uuidd_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + varnishd_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + varnishd_admin_varnishlog(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + vdagent_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + vhostmd_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + virt_admin(sysadm_t, sysadm_r)
> virt_stream_connect(sysadm_t)
> ')
>
> @@ -399,10 +1146,22 @@ optional_policy(`
> ')
>
> optional_policy(`
> + vnstatd_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> vpn_run(sysadm_t, sysadm_r)
> ')
>
> optional_policy(`
> + watchdog_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + wdmd_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> webalizer_run(sysadm_t, sysadm_r)
> ')
>
> @@ -419,15 +1178,32 @@ optional_policy(`
> ')
>
> optional_policy(`
> + xfs_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> yam_run(sysadm_t, sysadm_r)
> ')
>
> +optional_policy(`
> + zabbix_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + zarafa_admin(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> + zebra_admin(sysadm_t, sysadm_r)
> +')
> +
> ifndef(`distro_redhat',`
> optional_policy(`
> auth_role(sysadm_r, sysadm_t)
> ')
>
> optional_policy(`
> + bluetooth_admin(sysadm_t, sysadm_r)
> bluetooth_role(sysadm_r, sysadm_t)
> ')
>
> @@ -468,6 +1244,10 @@ ifndef(`distro_redhat',`
> ')
>
> optional_policy(`
> + ircd_admin(sysadm_t, sysadm_r)
> + ')
> +
> + optional_policy(`
> java_role(sysadm_r, sysadm_t)
> ')
> ')
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 6/8/2015 4:38 PM, Jason Zaman wrote:
> ---
> policy/modules/roles/sysadm.te | 1 +
> policy/modules/system/iptables.if | 39 +++++++++++++++++++++++++++++++++++++++
> 2 files changed, 40 insertions(+)
Merged.
> diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> index 8219dea..f9919fd 100644
> --- a/policy/modules/roles/sysadm.te
> +++ b/policy/modules/roles/sysadm.te
> @@ -178,6 +178,7 @@ optional_policy(`
> ')
>
> optional_policy(`
> + iptables_admin(sysadm_t, sysadm_r)
> iptables_run(sysadm_t, sysadm_r)
> ')
>
> diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
> index c42fbc3..26ce647 100644
> --- a/policy/modules/system/iptables.if
> +++ b/policy/modules/system/iptables.if
> @@ -163,3 +163,42 @@ interface(`iptables_manage_config',`
> files_search_etc($1)
> manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
> ')
> +
> +########################################
> +## <summary>
> +## All of the rules required to
> +## administrate an iptables
> +## environment.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`iptables_admin',`
> + gen_require(`
> + type iptables_t, iptables_initrc_exec_t, iptables_conf_t;
> + type iptables_tmp_t, iptables_var_run_t;
> + ')
> +
> + allow $1 iptables_t:process { ptrace signal_perms };
> + ps_process_pattern($1, iptables_t)
> +
> + init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t)
> +
> + files_list_etc($1)
> + admin_pattern($1, iptables_conf_t)
> +
> + files_list_tmp($1)
> + admin_pattern($1, iptables_tmp_t)
> +
> + files_list_pids($1)
> + admin_pattern($1, iptables_var_run_t)
> +')
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com