---
policy/modules/roles/sysadm.te | 2 +-
policy/modules/system/iptables.if | 39 +++++++++++++++++++++++++++++++++++++++
2 files changed, 40 insertions(+), 1 deletion(-)
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 8219dea..55e0179 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -178,7 +178,7 @@ optional_policy(`
')
optional_policy(`
- iptables_run(sysadm_t, sysadm_r)
+ iptables_admin(sysadm_t, sysadm_r)
')
optional_policy(`
diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
index c42fbc3..26ce647 100644
--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@@ -163,3 +163,42 @@ interface(`iptables_manage_config',`
files_search_etc($1)
manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
')
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate an iptables
+## environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`iptables_admin',`
+ gen_require(`
+ type iptables_t, iptables_initrc_exec_t, iptables_conf_t;
+ type iptables_tmp_t, iptables_var_run_t;
+ ')
+
+ allow $1 iptables_t:process { ptrace signal_perms };
+ ps_process_pattern($1, iptables_t)
+
+ init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t)
+
+ files_list_etc($1)
+ admin_pattern($1, iptables_conf_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, iptables_tmp_t)
+
+ files_list_pids($1)
+ admin_pattern($1, iptables_var_run_t)
+')
--
2.3.6
---
policy/modules/roles/sysadm.te | 8 +------
policy/modules/system/ipsec.if | 51 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 52 insertions(+), 7 deletions(-)
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 55e0179..5c4b3fc 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -168,13 +168,7 @@ optional_policy(`
')
optional_policy(`
- # allow system administrator to use the ipsec script to look
- # at things (e.g., ipsec auto --status)
- # probably should create an ipsec_admin role for this kind of thing
- ipsec_exec_mgmt(sysadm_t)
- ipsec_stream_connect(sysadm_t)
- # for lsof
- ipsec_getattr_key_sockets(sysadm_t)
+ ipsec_admin(sysadm_t, sysadm_r)
')
optional_policy(`
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
index 0d4c8d3..6e8739f 100644
--- a/policy/modules/system/ipsec.if
+++ b/policy/modules/system/ipsec.if
@@ -369,3 +369,54 @@ interface(`ipsec_run_setkey',`
ipsec_domtrans_setkey($1)
role $2 types setkey_t;
')
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate an ipsec environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ipsec_admin',`
+ gen_require(`
+ type ipsec_t, ipsec_initrc_exec_t, ipsec_conf_file_t;
+ type ipsec_key_file_t, ipsec_log_t, ipsec_tmp_t;
+ type ipsec_var_run_t, ipsec_mgmt_lock_t;
+ type ipsec_mgmt_var_run_t, racoon_tmp_t;
+ ')
+
+ allow $1 ipsec_t:process { ptrace signal_perms };
+ ps_process_pattern($1, ipsec_t)
+
+ init_startstop_service($1, $2, ipsec_t, ipsec_initrc_exec_t)
+
+ ipsec_exec_mgmt(sysadm_t)
+ ipsec_stream_connect(sysadm_t)
+ # for lsof
+ ipsec_getattr_key_sockets(sysadm_t)
+
+ files_list_etc($1)
+ admin_pattern($1, { ipsec_conf_file_t ipsec_key_file_t })
+
+ files_list_tmp($1)
+ admin_pattern($1, { ipsec_tmp_t racoon_tmp_t })
+
+ files_list_pids($1)
+ admin_pattern($1, { ipsec_var_run_t ipsec_mgmt_var_run_t })
+
+ files_list_locks($1)
+ admin_pattern($1, ipsec_mgmt_lock_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, ipsec_log_t)
+')
--
2.3.6
Lots of the foo_admin() interfaces were not applied to sysadm. This
patch adds all the ones that were missing. Interfaces are added together
with the matching _role() interface if it was already present. In some
cases _run() was replaced with _admin()
The tests pass for all combinations of distros, monolithic,
direct_initrc, standard/mcs/mls.
---
policy/modules/roles/sysadm.te | 798 ++++++++++++++++++++++++++++++++++++++++-
1 file changed, 782 insertions(+), 16 deletions(-)
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 5c4b3fc..9d03af6 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -65,20 +65,57 @@ tunable_policy(`allow_ptrace',`
domain_ptrace_all_domains(sysadm_t)
')
+#optional_policy(`
+# abrt_admin(sysadm_t, sysadm_r)
+#')
+
+optional_policy(`
+ accountsd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ acct_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ afs_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ aiccu_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ aide_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ aisexecd_admin(sysadm_t, sysadm_r)
+')
+
optional_policy(`
amanda_run_recover(sysadm_t, sysadm_r)
')
optional_policy(`
- apache_run_helper(sysadm_t, sysadm_r)
- #apache_run_all_scripts(sysadm_t, sysadm_r)
- #apache_domtrans_sys_script(sysadm_t)
+ amavis_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ amtu_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ apache_admin(sysadm_t, sysadm_r)
apache_role(sysadm_r, sysadm_t)
')
optional_policy(`
- # cjp: why is this not apm_run_client
- apm_domtrans_client(sysadm_t)
+ apcupsd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ apm_admin(sysadm_t, sysadm_r)
')
optional_policy(`
@@ -86,6 +123,11 @@ optional_policy(`
')
optional_policy(`
+ arpwatch_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ asterisk_admin(sysadm_t, sysadm_r)
asterisk_stream_connect(sysadm_t)
')
@@ -94,15 +136,39 @@ optional_policy(`
')
optional_policy(`
+ automount_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ avahi_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
backup_run(sysadm_t, sysadm_r)
')
optional_policy(`
- bacula_run_admin(sysadm_t, sysadm_r)
+ bacula_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ bcfg2_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ bind_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ bird_admin(sysadm_t, sysadm_r)
')
optional_policy(`
- bind_run_ndc(sysadm_t, sysadm_r)
+ bitlbee_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ boinc_admin(sysadm_t, sysadm_r)
')
optional_policy(`
@@ -110,10 +176,62 @@ optional_policy(`
')
optional_policy(`
+ bugzilla_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ cachefilesd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ calamaris_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ callweaver_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ canna_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ ccs_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ certmaster_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ certmonger_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
certwatch_run(sysadm_t, sysadm_r)
')
optional_policy(`
+ cfengine_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ cgroup_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ chronyd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ cipe_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ clamav_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
clock_run(sysadm_t, sysadm_r)
')
@@ -122,24 +240,101 @@ optional_policy(`
')
optional_policy(`
+ cmirrord_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ cobbler_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ collectd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ condor_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
consoletype_run(sysadm_t, sysadm_r)
')
optional_policy(`
+ corosync_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ couchdb_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ ctdb_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ cups_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ cvs_admin(sysadm_t, sysadm_r)
cvs_exec(sysadm_t)
')
optional_policy(`
+ cyphesis_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ cyrus_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ dante_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
dcc_run_cdcc(sysadm_t, sysadm_r)
dcc_run_client(sysadm_t, sysadm_r)
dcc_run_dbclean(sysadm_t, sysadm_r)
')
optional_policy(`
+ ddclient_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
ddcprobe_run(sysadm_t, sysadm_r)
')
optional_policy(`
+ denyhosts_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ devicekit_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ dhcpd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ dictd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ dirmngr_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ distcc_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ dkim_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
dmesg_exec(sysadm_t)
')
@@ -148,10 +343,54 @@ optional_policy(`
')
optional_policy(`
+ dnsmasq_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ dnssectrigger_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ dovecot_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
dpkg_run(sysadm_t, sysadm_r)
')
optional_policy(`
+ drbd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ dspam_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ entropyd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ exim_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ fail2ban_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ fcoe_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ fetchmail_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ firewalld_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
firstboot_run(sysadm_t, sysadm_r)
')
@@ -160,7 +399,31 @@ optional_policy(`
')
optional_policy(`
- hostname_run(sysadm_t, sysadm_r)
+ ftp_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ gatekeeper_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ gdomap_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ glance_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ glusterfs_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ gpm_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ gpsd_admin(sysadm_t, sysadm_r)
')
optional_policy(`
@@ -168,6 +431,42 @@ optional_policy(`
')
optional_policy(`
+ hddtemp_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ hostname_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ howl_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ hypervkvp_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ i18n_input_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ icecast_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ ifplugd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ inn_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ iodine_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
ipsec_admin(sysadm_t, sysadm_r)
')
@@ -176,7 +475,55 @@ optional_policy(`
')
optional_policy(`
- kudzu_run(sysadm_t, sysadm_r)
+ irqbalance_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ iscsi_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ isnsd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ jabber_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ kdump_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ kerberos_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ kerneloops_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ keystone_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ kismet_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ ksmtuned_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ kudzu_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ l2tp_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ ldap_admin(sysadm_t, sysadm_r)
')
optional_policy(`
@@ -184,6 +531,22 @@ optional_policy(`
')
optional_policy(`
+ lightsquid_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ likewise_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ lircd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ lldpad_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
lockdev_role(sysadm_r, sysadm_t)
')
@@ -197,16 +560,48 @@ optional_policy(`
')
optional_policy(`
+ lsmd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
lvm_run(sysadm_t, sysadm_r)
')
optional_policy(`
+ mandb_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ mcelog_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ memcached_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ minidlna_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ minissdpd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
modutils_run_depmod(sysadm_t, sysadm_r)
modutils_run_insmod(sysadm_t, sysadm_r)
modutils_run_update_mods(sysadm_t, sysadm_r)
')
optional_policy(`
+ mongodb_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ monop_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
mount_run(sysadm_t, sysadm_r)
')
@@ -215,60 +610,231 @@ optional_policy(`
')
optional_policy(`
+ mpd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
mplayer_role(sysadm_r, sysadm_t)
')
optional_policy(`
+ mrtg_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ mscan_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
mta_role(sysadm_r, sysadm_t)
')
optional_policy(`
+ #munin_admin(sysadm_t, sysadm_r)
munin_stream_connect(sysadm_t)
')
optional_policy(`
+ mysql_admin(sysadm_t, sysadm_r)
mysql_stream_connect(sysadm_t)
')
optional_policy(`
+ nagios_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ nessus_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
netutils_run(sysadm_t, sysadm_r)
netutils_run_ping(sysadm_t, sysadm_r)
netutils_run_traceroute(sysadm_t, sysadm_r)
')
optional_policy(`
- ntp_stub()
+ networkmanager_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ nis_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ nscd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ nslcd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ ntop_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ ntp_admin(sysadm_t, sysadm_r)
corenet_udp_bind_ntp_port(sysadm_t)
')
optional_policy(`
+ numad_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ nut_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
oav_run_update(sysadm_t, sysadm_r)
')
optional_policy(`
+ oident_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ openct_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ openhpi_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ openvpn_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ openvswitch_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ pacemaker_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ pads_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
pcmcia_run_cardctl(sysadm_t, sysadm_r)
')
optional_policy(`
+ pcscd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ pegasus_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ perdition_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ pingd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ pkcs_admin_slotd(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ plymouthd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ polipo_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
portage_run(sysadm_t, sysadm_r)
portage_run_fetch(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
')
optional_policy(`
- portmap_run_helper(sysadm_t, sysadm_r)
+ portmap_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ portreserve_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ postfix_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ postfixpolicyd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ postgrey_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ ppp_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ prelude_admin(sysadm_t, sysadm_r)
')
optional_policy(`
+ privoxy_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ psad_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ puppet_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ pxe_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ pyicqt_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ pyzor_admin(sysadm_t, sysadm_r)
pyzor_role(sysadm_r, sysadm_t)
')
optional_policy(`
- quota_run(sysadm_t, sysadm_r)
+ qpidd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ quantum_admin(sysadm_t, sysadm_r)
')
optional_policy(`
- raid_run_mdadm(sysadm_r, sysadm_t)
+ quota_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ rabbitmq_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ radius_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ radvd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ raid_admin_mdadm(sysadm_t, sysadm_r)
')
optional_policy(`
@@ -276,11 +842,48 @@ optional_policy(`
')
optional_policy(`
+ redis_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ resmgr_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ rgmanager_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ rhcs_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ rhsmcertd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ ricci_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ rngd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ roundup_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ rpc_admin(sysadm_t, sysadm_r)
rpc_domtrans_nfsd(sysadm_t)
')
optional_policy(`
- rpm_run(sysadm_t, sysadm_r)
+ rpcbind_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ rpm_admin(sysadm_t, sysadm_r)
')
optional_policy(`
@@ -288,12 +891,20 @@ optional_policy(`
')
optional_policy(`
+ rsync_admin(sysadm_t, sysadm_r)
rsync_exec(sysadm_t)
')
optional_policy(`
- samba_run_net(sysadm_t, sysadm_r)
- samba_run_winbind_helper(sysadm_t, sysadm_r)
+ rtkit_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ rwho_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ samba_admin(sysadm_t, sysadm_r)
')
optional_policy(`
@@ -301,6 +912,18 @@ optional_policy(`
')
optional_policy(`
+ sanlock_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ sasl_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ sblim_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
screen_role_template(sysadm, sysadm_r, sysadm_t)
')
@@ -309,11 +932,52 @@ optional_policy(`
')
optional_policy(`
+ sensord_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ setroubleshoot_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
seutil_run_setfiles(sysadm_t, sysadm_r)
seutil_run_runinit(sysadm_t, sysadm_r)
')
optional_policy(`
+ shorewall_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ slpd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ smartmon_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ smokeping_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ smstools_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ snmp_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ snort_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ soundserver_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ spamassassin_admin(sysadm_t, sysadm_r)
spamassassin_role(sysadm_r, sysadm_t)
')
@@ -322,10 +986,18 @@ optional_policy(`
')
optional_policy(`
+ sssd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
staff_role_change(sysadm_r)
')
optional_policy(`
+ stapserver_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
su_role_template(sysadm, sysadm_r, sysadm_t)
')
@@ -334,15 +1006,43 @@ optional_policy(`
')
optional_policy(`
+ svnserve_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
sysnet_run_ifconfig(sysadm_t, sysadm_r)
sysnet_run_dhcpc(sysadm_t, sysadm_r)
')
optional_policy(`
+ sysstat_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ tcsd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ tftp_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ tgtd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
thunderbird_role(sysadm_r, sysadm_t)
')
optional_policy(`
+ tor_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ transproxy_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
tripwire_run_siggen(sysadm_t, sysadm_r)
tripwire_run_tripwire(sysadm_t, sysadm_r)
tripwire_run_twadmin(sysadm_t, sysadm_r)
@@ -358,6 +1058,10 @@ optional_policy(`
')
optional_policy(`
+ ulogd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
uml_role(sysadm_r, sysadm_t)
')
@@ -370,6 +1074,10 @@ optional_policy(`
')
optional_policy(`
+ uptime_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
usbmodules_run(sysadm_t, sysadm_r)
')
@@ -384,6 +1092,31 @@ optional_policy(`
')
optional_policy(`
+ uucp_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ uuidd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ varnishd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ varnishd_admin_varnishlog(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ vdagent_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ vhostmd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ virt_admin(sysadm_t, sysadm_r)
virt_stream_connect(sysadm_t)
')
@@ -392,10 +1125,22 @@ optional_policy(`
')
optional_policy(`
+ vnstatd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
vpn_run(sysadm_t, sysadm_r)
')
optional_policy(`
+ watchdog_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ wdmd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
webalizer_run(sysadm_t, sysadm_r)
')
@@ -412,15 +1157,32 @@ optional_policy(`
')
optional_policy(`
+ xfs_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
yam_run(sysadm_t, sysadm_r)
')
+optional_policy(`
+ zabbix_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ zarafa_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ zebra_admin(sysadm_t, sysadm_r)
+')
+
ifndef(`distro_redhat',`
optional_policy(`
auth_role(sysadm_r, sysadm_t)
')
optional_policy(`
+ bluetooth_admin(sysadm_t, sysadm_r)
bluetooth_role(sysadm_r, sysadm_t)
')
@@ -461,6 +1223,10 @@ ifndef(`distro_redhat',`
')
optional_policy(`
+ ircd_admin(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
java_role(sysadm_r, sysadm_t)
')
')
--
2.3.6
On Mon, Jun 08, 2015 at 01:29:21PM +0400, Jason Zaman wrote:
> ---
> policy/modules/roles/sysadm.te | 2 +-
> policy/modules/system/iptables.if | 39 +++++++++++++++++++++++++++++++++++++++
> 2 files changed, 40 insertions(+), 1 deletion(-)
>
> diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> index 8219dea..55e0179 100644
> --- a/policy/modules/roles/sysadm.te
> +++ b/policy/modules/roles/sysadm.te
> @@ -178,7 +178,7 @@ optional_policy(`
> ')
>
> optional_policy(`
> - iptables_run(sysadm_t, sysadm_r)
> + iptables_admin(sysadm_t, sysadm_r)
> ')
Why remove iptables_run()?
>
> optional_policy(`
> diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
> index c42fbc3..26ce647 100644
> --- a/policy/modules/system/iptables.if
> +++ b/policy/modules/system/iptables.if
> @@ -163,3 +163,42 @@ interface(`iptables_manage_config',`
> files_search_etc($1)
> manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
> ')
> +
> +########################################
> +## <summary>
> +## All of the rules required to
> +## administrate an iptables
> +## environment.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`iptables_admin',`
> + gen_require(`
> + type iptables_t, iptables_initrc_exec_t, iptables_conf_t;
> + type iptables_tmp_t, iptables_var_run_t;
> + ')
> +
> + allow $1 iptables_t:process { ptrace signal_perms };
> + ps_process_pattern($1, iptables_t)
> +
> + init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t)
> +
> + files_list_etc($1)
> + admin_pattern($1, iptables_conf_t)
> +
> + files_list_tmp($1)
> + admin_pattern($1, iptables_tmp_t)
> +
> + files_list_pids($1)
> + admin_pattern($1, iptables_var_run_t)
> +')
> --
> 2.3.6
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
02DFF788
4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150608/c103ea4c/attachment.bin
On Mon, Jun 08, 2015 at 11:45:21AM +0200, Dominick Grift wrote:
> On Mon, Jun 08, 2015 at 01:29:21PM +0400, Jason Zaman wrote:
> > ---
> > policy/modules/roles/sysadm.te | 2 +-
> > policy/modules/system/iptables.if | 39 +++++++++++++++++++++++++++++++++++++++
> > 2 files changed, 40 insertions(+), 1 deletion(-)
> >
> > diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> > index 8219dea..55e0179 100644
> > --- a/policy/modules/roles/sysadm.te
> > +++ b/policy/modules/roles/sysadm.te
> > @@ -178,7 +178,7 @@ optional_policy(`
> > ')
> >
> > optional_policy(`
> > - iptables_run(sysadm_t, sysadm_r)
> > + iptables_admin(sysadm_t, sysadm_r)
> > ')
>
> Why remove iptables_run()?
Hmm, good point. I'll add that back in v2.
I'll wait a little while longer for other comments before sending v2.
Did you find any other issues in the rest of the patches?
-- Jason
>
> >
> > optional_policy(`
> > diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
> > index c42fbc3..26ce647 100644
> > --- a/policy/modules/system/iptables.if
> > +++ b/policy/modules/system/iptables.if
> > @@ -163,3 +163,42 @@ interface(`iptables_manage_config',`
> > files_search_etc($1)
> > manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
> > ')
> > +
> > +########################################
> > +## <summary>
> > +## All of the rules required to
> > +## administrate an iptables
> > +## environment.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +## <param name="role">
> > +## <summary>
> > +## Role allowed access.
> > +## </summary>
> > +## </param>
> > +## <rolecap/>
> > +#
> > +interface(`iptables_admin',`
> > + gen_require(`
> > + type iptables_t, iptables_initrc_exec_t, iptables_conf_t;
> > + type iptables_tmp_t, iptables_var_run_t;
> > + ')
> > +
> > + allow $1 iptables_t:process { ptrace signal_perms };
> > + ps_process_pattern($1, iptables_t)
> > +
> > + init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t)
> > +
> > + files_list_etc($1)
> > + admin_pattern($1, iptables_conf_t)
> > +
> > + files_list_tmp($1)
> > + admin_pattern($1, iptables_tmp_t)
> > +
> > + files_list_pids($1)
> > + admin_pattern($1, iptables_var_run_t)
> > +')
> > --
> > 2.3.6
> >
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
>
> --
> 02DFF788
> 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788
> http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
> Dominick Grift
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
On Mon, Jun 08, 2015 at 02:33:03PM +0400, Jason Zaman wrote:
> On Mon, Jun 08, 2015 at 11:45:21AM +0200, Dominick Grift wrote:
> > On Mon, Jun 08, 2015 at 01:29:21PM +0400, Jason Zaman wrote:
> > > ---
> > > policy/modules/roles/sysadm.te | 2 +-
> > > policy/modules/system/iptables.if | 39 +++++++++++++++++++++++++++++++++++++++
> > > 2 files changed, 40 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> > > index 8219dea..55e0179 100644
> > > --- a/policy/modules/roles/sysadm.te
> > > +++ b/policy/modules/roles/sysadm.te
> > > @@ -178,7 +178,7 @@ optional_policy(`
> > > ')
> > >
> > > optional_policy(`
> > > - iptables_run(sysadm_t, sysadm_r)
> > > + iptables_admin(sysadm_t, sysadm_r)
> > > ')
> >
> > Why remove iptables_run()?
>
> Hmm, good point. I'll add that back in v2.
>
> I'll wait a little while longer for other comments before sending v2.
> Did you find any other issues in the rest of the patches?
I think i saw similar instances in your other patches where run interfaces were removed.
>
> -- Jason
>
> >
> > >
> > > optional_policy(`
> > > diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
> > > index c42fbc3..26ce647 100644
> > > --- a/policy/modules/system/iptables.if
> > > +++ b/policy/modules/system/iptables.if
> > > @@ -163,3 +163,42 @@ interface(`iptables_manage_config',`
> > > files_search_etc($1)
> > > manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
> > > ')
> > > +
> > > +########################################
> > > +## <summary>
> > > +## All of the rules required to
> > > +## administrate an iptables
> > > +## environment.
> > > +## </summary>
> > > +## <param name="domain">
> > > +## <summary>
> > > +## Domain allowed access.
> > > +## </summary>
> > > +## </param>
> > > +## <param name="role">
> > > +## <summary>
> > > +## Role allowed access.
> > > +## </summary>
> > > +## </param>
> > > +## <rolecap/>
> > > +#
> > > +interface(`iptables_admin',`
> > > + gen_require(`
> > > + type iptables_t, iptables_initrc_exec_t, iptables_conf_t;
> > > + type iptables_tmp_t, iptables_var_run_t;
> > > + ')
> > > +
> > > + allow $1 iptables_t:process { ptrace signal_perms };
> > > + ps_process_pattern($1, iptables_t)
> > > +
> > > + init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t)
> > > +
> > > + files_list_etc($1)
> > > + admin_pattern($1, iptables_conf_t)
> > > +
> > > + files_list_tmp($1)
> > > + admin_pattern($1, iptables_tmp_t)
> > > +
> > > + files_list_pids($1)
> > > + admin_pattern($1, iptables_var_run_t)
> > > +')
> > > --
> > > 2.3.6
> > >
> > > _______________________________________________
> > > refpolicy mailing list
> > > refpolicy at oss.tresys.com
> > > http://oss.tresys.com/mailman/listinfo/refpolicy
> >
> > --
> > 02DFF788
> > 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788
> > http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
> > Dominick Grift
>
>
>
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
02DFF788
4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150608/70c652bd/attachment.bin
On Mon, Jun 08, 2015 at 01:29:22PM +0400, Jason Zaman wrote:
> ---
> policy/modules/roles/sysadm.te | 8 +------
> policy/modules/system/ipsec.if | 51 ++++++++++++++++++++++++++++++++++++++++++
> 2 files changed, 52 insertions(+), 7 deletions(-)
>
> diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> index 55e0179..5c4b3fc 100644
> --- a/policy/modules/roles/sysadm.te
> +++ b/policy/modules/roles/sysadm.te
> @@ -168,13 +168,7 @@ optional_policy(`
> ')
>
> optional_policy(`
> - # allow system administrator to use the ipsec script to look
> - # at things (e.g., ipsec auto --status)
> - # probably should create an ipsec_admin role for this kind of thing
> - ipsec_exec_mgmt(sysadm_t)
> - ipsec_stream_connect(sysadm_t)
> - # for lsof
> - ipsec_getattr_key_sockets(sysadm_t)
> + ipsec_admin(sysadm_t, sysadm_r)
Do not commit this one yet. I want to setup ipsec properly and test this
part. It is really messy I think I will end up creating an ipsec_role
also.
-- Jason
> ')
>
> optional_policy(`
> diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
> index 0d4c8d3..6e8739f 100644
> --- a/policy/modules/system/ipsec.if
> +++ b/policy/modules/system/ipsec.if
> @@ -369,3 +369,54 @@ interface(`ipsec_run_setkey',`
> ipsec_domtrans_setkey($1)
> role $2 types setkey_t;
> ')
> +
> +########################################
> +## <summary>
> +## All of the rules required to
> +## administrate an ipsec environment.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`ipsec_admin',`
> + gen_require(`
> + type ipsec_t, ipsec_initrc_exec_t, ipsec_conf_file_t;
> + type ipsec_key_file_t, ipsec_log_t, ipsec_tmp_t;
> + type ipsec_var_run_t, ipsec_mgmt_lock_t;
> + type ipsec_mgmt_var_run_t, racoon_tmp_t;
> + ')
> +
> + allow $1 ipsec_t:process { ptrace signal_perms };
> + ps_process_pattern($1, ipsec_t)
> +
> + init_startstop_service($1, $2, ipsec_t, ipsec_initrc_exec_t)
> +
> + ipsec_exec_mgmt(sysadm_t)
> + ipsec_stream_connect(sysadm_t)
> + # for lsof
> + ipsec_getattr_key_sockets(sysadm_t)
> +
> + files_list_etc($1)
> + admin_pattern($1, { ipsec_conf_file_t ipsec_key_file_t })
> +
> + files_list_tmp($1)
> + admin_pattern($1, { ipsec_tmp_t racoon_tmp_t })
> +
> + files_list_pids($1)
> + admin_pattern($1, { ipsec_var_run_t ipsec_mgmt_var_run_t })
> +
> + files_list_locks($1)
> + admin_pattern($1, ipsec_mgmt_lock_t)
> +
> + logging_list_logs($1)
> + admin_pattern($1, ipsec_log_t)
> +')
> --
> 2.3.6
>