From: jason@perfinion.com (Jason Zaman) Date: Wed, 3 Dec 2014 23:09:28 +0400 Subject: [refpolicy] [PATCH v2] Add all the missing _admin interfaces to sysadm Message-ID: <1417633768-2852-1-git-send-email-jason@perfinion.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Lots of the foo_admin() interfaces were not applied to sysadm. This patch adds all the ones that were missing. Interfaces are added together with the matching _role() interface if it was already present. Make all && make validate passes, but anyone else that can run any test suites on this would be appreciated too. Changes from v1: Removed some _run interfaces that are not required. --- policy/modules/roles/sysadm.te | 799 ++++++++++++++++++++++++++++++++++++++++- 1 file changed, 783 insertions(+), 16 deletions(-) diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index aeac0ff..02ad90b 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -66,19 +66,56 @@ tunable_policy(`allow_ptrace',` ') optional_policy(` + abrt_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + accountsd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + acct_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + afs_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + aiccu_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + aide_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + aisexecd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` amanda_run_recover(sysadm_t, sysadm_r) ') optional_policy(` - apache_run_helper(sysadm_t, sysadm_r) - #apache_run_all_scripts(sysadm_t, sysadm_r) - #apache_domtrans_sys_script(sysadm_t) + amavis_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + amtu_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + apache_admin(sysadm_t, sysadm_r) apache_role(sysadm_r, sysadm_t) ') optional_policy(` - # cjp: why is this not apm_run_client - apm_domtrans_client(sysadm_t) + apcupsd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + apm_admin(sysadm_t, sysadm_r) ') optional_policy(` @@ -86,6 +123,11 @@ optional_policy(` ') optional_policy(` + arpwatch_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + asterisk_admin(sysadm_t, sysadm_r) asterisk_stream_connect(sysadm_t) ') @@ -94,15 +136,39 @@ optional_policy(` ') optional_policy(` + automount_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + avahi_admin(sysadm_t, sysadm_r) +') + +optional_policy(` backup_run(sysadm_t, sysadm_r) ') optional_policy(` - bacula_run_admin(sysadm_t, sysadm_r) + bacula_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + bcfg2_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + bind_admin(sysadm_t, sysadm_r) ') optional_policy(` - bind_run_ndc(sysadm_t, sysadm_r) + bird_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + bitlbee_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + boinc_admin(sysadm_t, sysadm_r) ') optional_policy(` @@ -110,10 +176,62 @@ optional_policy(` ') optional_policy(` + bugzilla_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + cachefilesd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + calamaris_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + callweaver_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + canna_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + ccs_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + certmaster_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + certmonger_admin(sysadm_t, sysadm_r) +') + +optional_policy(` certwatch_run(sysadm_t, sysadm_r) ') optional_policy(` + cfengine_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + cgroup_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + chronyd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + cipe_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + clamav_admin(sysadm_t, sysadm_r) +') + +optional_policy(` clock_run(sysadm_t, sysadm_r) ') @@ -122,24 +240,101 @@ optional_policy(` ') optional_policy(` + cmirrord_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + cobbler_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + collectd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + condor_admin(sysadm_t, sysadm_r) +') + +optional_policy(` consoletype_run(sysadm_t, sysadm_r) ') optional_policy(` + corosync_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + couchdb_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + ctdb_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + cups_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + cvs_admin(sysadm_t, sysadm_r) cvs_exec(sysadm_t) ') optional_policy(` + cyphesis_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + cyrus_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + dante_admin(sysadm_t, sysadm_r) +') + +optional_policy(` dcc_run_cdcc(sysadm_t, sysadm_r) dcc_run_client(sysadm_t, sysadm_r) dcc_run_dbclean(sysadm_t, sysadm_r) ') optional_policy(` + ddclient_admin(sysadm_t, sysadm_r) +') + +optional_policy(` ddcprobe_run(sysadm_t, sysadm_r) ') optional_policy(` + denyhosts_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + devicekit_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + dhcpd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + dictd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + dirmngr_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + distcc_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + dkim_admin(sysadm_t, sysadm_r) +') + +optional_policy(` dmesg_exec(sysadm_t) ') @@ -148,10 +343,54 @@ optional_policy(` ') optional_policy(` + dnsmasq_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + dnssectrigger_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + dovecot_admin(sysadm_t, sysadm_r) +') + +optional_policy(` dpkg_run(sysadm_t, sysadm_r) ') optional_policy(` + drbd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + dspam_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + entropyd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + exim_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + fail2ban_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + fcoe_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + fetchmail_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + firewalld_admin(sysadm_t, sysadm_r) +') + +optional_policy(` firstboot_run(sysadm_t, sysadm_r) ') @@ -160,14 +399,75 @@ optional_policy(` ') optional_policy(` - hostname_run(sysadm_t, sysadm_r) + ftp_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + gatekeeper_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + gdomap_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + glance_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + glusterfs_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + gpm_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + gpsd_admin(sysadm_t, sysadm_r) ') optional_policy(` + hadoop_admin(sysadm_t, sysadm_r) hadoop_role(sysadm_r, sysadm_t) ') optional_policy(` + hddtemp_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + hostname_run(sysadm_t, sysadm_r) +') + +optional_policy(` + howl_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + hypervkvp_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + i18n_input_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + icecast_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + ifplugd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + inn_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + iodine_admin(sysadm_t, sysadm_r) +') + +optional_policy(` # allow system administrator to use the ipsec script to look # at things (e.g., ipsec auto --status) # probably should create an ipsec_admin role for this kind of thing @@ -182,7 +482,55 @@ optional_policy(` ') optional_policy(` - kudzu_run(sysadm_t, sysadm_r) + irqbalance_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + iscsi_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + isnsd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + jabber_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + kdump_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + kerberos_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + kerneloops_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + keystone_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + kismet_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + ksmtuned_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + kudzu_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + l2tp_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + ldap_admin(sysadm_t, sysadm_r) ') optional_policy(` @@ -190,6 +538,22 @@ optional_policy(` ') optional_policy(` + lightsquid_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + likewise_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + lircd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + lldpad_admin(sysadm_t, sysadm_r) +') + +optional_policy(` lockdev_role(sysadm_r, sysadm_t) ') @@ -203,16 +567,48 @@ optional_policy(` ') optional_policy(` + lsmd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` lvm_run(sysadm_t, sysadm_r) ') optional_policy(` + mandb_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + mcelog_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + memcached_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + minidlna_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + minissdpd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` modutils_run_depmod(sysadm_t, sysadm_r) modutils_run_insmod(sysadm_t, sysadm_r) modutils_run_update_mods(sysadm_t, sysadm_r) ') optional_policy(` + mongodb_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + monop_admin(sysadm_t, sysadm_r) +') + +optional_policy(` mount_run(sysadm_t, sysadm_r) ') @@ -221,60 +617,231 @@ optional_policy(` ') optional_policy(` + mpd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` mplayer_role(sysadm_r, sysadm_t) ') optional_policy(` + mrtg_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + mscan_admin(sysadm_t, sysadm_r) +') + +optional_policy(` mta_role(sysadm_r, sysadm_t) ') optional_policy(` + munin_admin(sysadm_t, sysadm_r) munin_stream_connect(sysadm_t) ') optional_policy(` + mysql_admin(sysadm_t, sysadm_r) mysql_stream_connect(sysadm_t) ') optional_policy(` + nagios_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + nessus_admin(sysadm_t, sysadm_r) +') + +optional_policy(` netutils_run(sysadm_t, sysadm_r) netutils_run_ping(sysadm_t, sysadm_r) netutils_run_traceroute(sysadm_t, sysadm_r) ') optional_policy(` - ntp_stub() + networkmanager_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + nis_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + nscd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + nslcd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + ntop_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + ntp_admin(sysadm_t, sysadm_r) corenet_udp_bind_ntp_port(sysadm_t) ') optional_policy(` + numad_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + nut_admin(sysadm_t, sysadm_r) +') + +optional_policy(` oav_run_update(sysadm_t, sysadm_r) ') optional_policy(` + oident_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + openct_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + openhpi_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + openvpn_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + openvswitch_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + pacemaker_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + pads_admin(sysadm_t, sysadm_r) +') + +optional_policy(` pcmcia_run_cardctl(sysadm_t, sysadm_r) ') optional_policy(` + pcscd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + pegasus_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + perdition_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + pingd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + pkcs_admin_slotd(sysadm_t, sysadm_r) +') + +optional_policy(` + plymouthd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + polipo_admin(sysadm_t, sysadm_r) +') + +optional_policy(` portage_run(sysadm_t, sysadm_r) portage_run_fetch(sysadm_t, sysadm_r) portage_run_gcc_config(sysadm_t, sysadm_r) ') optional_policy(` - portmap_run_helper(sysadm_t, sysadm_r) + portmap_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + portreserve_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + postfix_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + postfixpolicyd_admin(sysadm_t, sysadm_r) ') optional_policy(` + postgrey_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + ppp_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + prelude_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + privoxy_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + psad_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + puppet_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + pxe_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + pyicqt_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + pyzor_admin(sysadm_t, sysadm_r) pyzor_role(sysadm_r, sysadm_t) ') optional_policy(` - quota_run(sysadm_t, sysadm_r) + qpidd_admin(sysadm_t, sysadm_r) ') optional_policy(` - raid_run_mdadm(sysadm_r, sysadm_t) + quantum_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + quota_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + rabbitmq_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + radius_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + radvd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + raid_admin_mdadm(sysadm_t, sysadm_r) ') optional_policy(` @@ -282,11 +849,48 @@ optional_policy(` ') optional_policy(` + redis_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + resmgr_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + rgmanager_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + rhcs_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + rhsmcertd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + ricci_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + rngd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + roundup_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + rpc_admin(sysadm_t, sysadm_r) rpc_domtrans_nfsd(sysadm_t) ') optional_policy(` - rpm_run(sysadm_t, sysadm_r) + rpcbind_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + rpm_admin(sysadm_t, sysadm_r) ') optional_policy(` @@ -294,12 +898,20 @@ optional_policy(` ') optional_policy(` + rsync_admin(sysadm_t, sysadm_r) rsync_exec(sysadm_t) ') optional_policy(` - samba_run_net(sysadm_t, sysadm_r) - samba_run_winbind_helper(sysadm_t, sysadm_r) + rtkit_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + rwho_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + samba_admin(sysadm_t, sysadm_r) ') optional_policy(` @@ -307,6 +919,18 @@ optional_policy(` ') optional_policy(` + sanlock_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + sasl_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + sblim_admin(sysadm_t, sysadm_r) +') + +optional_policy(` screen_role_template(sysadm, sysadm_r, sysadm_t) ') @@ -315,11 +939,52 @@ optional_policy(` ') optional_policy(` + sensord_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + setroubleshoot_admin(sysadm_t, sysadm_r) +') + +optional_policy(` seutil_run_setfiles(sysadm_t, sysadm_r) seutil_run_runinit(sysadm_t, sysadm_r) ') optional_policy(` + shorewall_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + slpd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + smartmon_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + smokeping_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + smstools_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + snmp_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + snort_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + soundserver_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + spamassassin_admin(sysadm_t, sysadm_r) spamassassin_role(sysadm_r, sysadm_t) ') @@ -328,10 +993,18 @@ optional_policy(` ') optional_policy(` + sssd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` staff_role_change(sysadm_r) ') optional_policy(` + stapserver_admin(sysadm_t, sysadm_r) +') + +optional_policy(` su_role_template(sysadm, sysadm_r, sysadm_t) ') @@ -340,15 +1013,43 @@ optional_policy(` ') optional_policy(` + svnserve_admin(sysadm_t, sysadm_r) +') + +optional_policy(` sysnet_run_ifconfig(sysadm_t, sysadm_r) sysnet_run_dhcpc(sysadm_t, sysadm_r) ') optional_policy(` + sysstat_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + tcsd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + tftp_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + tgtd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` thunderbird_role(sysadm_r, sysadm_t) ') optional_policy(` + tor_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + transproxy_admin(sysadm_t, sysadm_r) +') + +optional_policy(` tripwire_run_siggen(sysadm_t, sysadm_r) tripwire_run_tripwire(sysadm_t, sysadm_r) tripwire_run_twadmin(sysadm_t, sysadm_r) @@ -364,6 +1065,10 @@ optional_policy(` ') optional_policy(` + ulogd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` uml_role(sysadm_r, sysadm_t) ') @@ -376,6 +1081,10 @@ optional_policy(` ') optional_policy(` + uptime_admin(sysadm_t, sysadm_r) +') + +optional_policy(` usbmodules_run(sysadm_t, sysadm_r) ') @@ -390,6 +1099,31 @@ optional_policy(` ') optional_policy(` + uucp_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + uuidd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + varnishd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + varnishd_admin_varnishlog(sysadm_t, sysadm_r) +') + +optional_policy(` + vdagent_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + vhostmd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + virt_admin(sysadm_t, sysadm_r) virt_stream_connect(sysadm_t) ') @@ -398,10 +1132,22 @@ optional_policy(` ') optional_policy(` + vnstatd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` vpn_run(sysadm_t, sysadm_r) ') optional_policy(` + watchdog_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + wdmd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` webalizer_run(sysadm_t, sysadm_r) ') @@ -418,15 +1164,32 @@ optional_policy(` ') optional_policy(` + xfs_admin(sysadm_t, sysadm_r) +') + +optional_policy(` yam_run(sysadm_t, sysadm_r) ') +optional_policy(` + zabbix_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + zarafa_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + zebra_admin(sysadm_t, sysadm_r) +') + ifndef(`distro_redhat',` optional_policy(` auth_role(sysadm_r, sysadm_t) ') optional_policy(` + bluetooth_admin(sysadm_t, sysadm_r) bluetooth_role(sysadm_r, sysadm_t) ') @@ -467,6 +1230,10 @@ ifndef(`distro_redhat',` ') optional_policy(` + ircd_admin(sysadm_t, sysadm_r) + ') + + optional_policy(` java_role(sysadm_r, sysadm_t) ') ') -- 2.0.4