* [refpolicy] [PATCH v2 1/2] Introduce iptables_admin @ 2015-06-08 20:38 Jason Zaman 2015-06-08 20:38 ` [refpolicy] [PATCH v2 2/2] Add all the missing _admin interfaces to sysadm Jason Zaman 2015-06-09 12:40 ` [refpolicy] [PATCH v2 1/2] Introduce iptables_admin Christopher J. PeBenito 0 siblings, 2 replies; 4+ messages in thread From: Jason Zaman @ 2015-06-08 20:38 UTC (permalink / raw) To: refpolicy --- policy/modules/roles/sysadm.te | 1 + policy/modules/system/iptables.if | 39 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 40 insertions(+) diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 8219dea..f9919fd 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -178,6 +178,7 @@ optional_policy(` ') optional_policy(` + iptables_admin(sysadm_t, sysadm_r) iptables_run(sysadm_t, sysadm_r) ') diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if index c42fbc3..26ce647 100644 --- a/policy/modules/system/iptables.if +++ b/policy/modules/system/iptables.if @@ -163,3 +163,42 @@ interface(`iptables_manage_config',` files_search_etc($1) manage_files_pattern($1, iptables_conf_t, iptables_conf_t) ') + +######################################## +## <summary> +## All of the rules required to +## administrate an iptables +## environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`iptables_admin',` + gen_require(` + type iptables_t, iptables_initrc_exec_t, iptables_conf_t; + type iptables_tmp_t, iptables_var_run_t; + ') + + allow $1 iptables_t:process { ptrace signal_perms }; + ps_process_pattern($1, iptables_t) + + init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t) + + files_list_etc($1) + admin_pattern($1, iptables_conf_t) + + files_list_tmp($1) + admin_pattern($1, iptables_tmp_t) + + files_list_pids($1) + admin_pattern($1, iptables_var_run_t) +') -- 2.3.6 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* [refpolicy] [PATCH v2 2/2] Add all the missing _admin interfaces to sysadm 2015-06-08 20:38 [refpolicy] [PATCH v2 1/2] Introduce iptables_admin Jason Zaman @ 2015-06-08 20:38 ` Jason Zaman 2015-06-09 12:40 ` Christopher J. PeBenito 2015-06-09 12:40 ` [refpolicy] [PATCH v2 1/2] Introduce iptables_admin Christopher J. PeBenito 1 sibling, 1 reply; 4+ messages in thread From: Jason Zaman @ 2015-06-08 20:38 UTC (permalink / raw) To: refpolicy Lots of the foo_admin() interfaces were not applied to sysadm. This patch adds all the ones that were missing. The tests pass for all combinations of distros, monolithic, direct_initrc, standard/mcs/mls. --- policy/modules/roles/sysadm.te | 788 ++++++++++++++++++++++++++++++++++++++++- 1 file changed, 784 insertions(+), 4 deletions(-) diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index f9919fd..5a95779 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -66,10 +66,47 @@ tunable_policy(`allow_ptrace',` ') optional_policy(` + abrt_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + accountsd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + acct_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + afs_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + aiccu_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + aide_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + aisexecd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` amanda_run_recover(sysadm_t, sysadm_r) ') optional_policy(` + amavis_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + amtu_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + apache_admin(sysadm_t, sysadm_r) apache_run_helper(sysadm_t, sysadm_r) #apache_run_all_scripts(sysadm_t, sysadm_r) #apache_domtrans_sys_script(sysadm_t) @@ -77,8 +114,12 @@ optional_policy(` ') optional_policy(` - # cjp: why is this not apm_run_client - apm_domtrans_client(sysadm_t) + apcupsd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + apm_admin(sysadm_t, sysadm_r) + apm_run_client(sysadm_t, sysadm_r) ') optional_policy(` @@ -86,6 +127,11 @@ optional_policy(` ') optional_policy(` + arpwatch_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + asterisk_admin(sysadm_t, sysadm_r) asterisk_stream_connect(sysadm_t) ') @@ -94,26 +140,104 @@ optional_policy(` ') optional_policy(` + automount_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + avahi_admin(sysadm_t, sysadm_r) +') + +optional_policy(` backup_run(sysadm_t, sysadm_r) ') optional_policy(` bacula_run_admin(sysadm_t, sysadm_r) + bacula_admin(sysadm_t, sysadm_r) ') optional_policy(` + bcfg2_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + bind_admin(sysadm_t, sysadm_r) bind_run_ndc(sysadm_t, sysadm_r) ') optional_policy(` + bird_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + bitlbee_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + boinc_admin(sysadm_t, sysadm_r) +') + +optional_policy(` bootloader_run(sysadm_t, sysadm_r) ') optional_policy(` + bugzilla_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + cachefilesd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + calamaris_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + callweaver_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + canna_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + ccs_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + certmaster_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + certmonger_admin(sysadm_t, sysadm_r) +') + +optional_policy(` certwatch_run(sysadm_t, sysadm_r) ') optional_policy(` + cfengine_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + cgroup_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + chronyd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + cipe_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + clamav_admin(sysadm_t, sysadm_r) +') + +optional_policy(` clock_run(sysadm_t, sysadm_r) ') @@ -122,24 +246,101 @@ optional_policy(` ') optional_policy(` + cmirrord_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + cobbler_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + collectd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + condor_admin(sysadm_t, sysadm_r) +') + +optional_policy(` consoletype_run(sysadm_t, sysadm_r) ') optional_policy(` + corosync_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + couchdb_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + ctdb_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + cups_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + cvs_admin(sysadm_t, sysadm_r) cvs_exec(sysadm_t) ') optional_policy(` + cyphesis_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + cyrus_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + dante_admin(sysadm_t, sysadm_r) +') + +optional_policy(` dcc_run_cdcc(sysadm_t, sysadm_r) dcc_run_client(sysadm_t, sysadm_r) dcc_run_dbclean(sysadm_t, sysadm_r) ') optional_policy(` + ddclient_admin(sysadm_t, sysadm_r) +') + +optional_policy(` ddcprobe_run(sysadm_t, sysadm_r) ') optional_policy(` + denyhosts_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + devicekit_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + dhcpd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + dictd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + dirmngr_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + distcc_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + dkim_admin(sysadm_t, sysadm_r) +') + +optional_policy(` dmesg_exec(sysadm_t) ') @@ -148,10 +349,54 @@ optional_policy(` ') optional_policy(` + dnsmasq_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + dnssectrigger_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + dovecot_admin(sysadm_t, sysadm_r) +') + +optional_policy(` dpkg_run(sysadm_t, sysadm_r) ') optional_policy(` + drbd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + dspam_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + entropyd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + exim_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + fail2ban_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + fcoe_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + fetchmail_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + firewalld_admin(sysadm_t, sysadm_r) +') + +optional_policy(` firstboot_run(sysadm_t, sysadm_r) ') @@ -160,7 +405,31 @@ optional_policy(` ') optional_policy(` - hostname_run(sysadm_t, sysadm_r) + ftp_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + gatekeeper_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + gdomap_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + glance_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + glusterfs_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + gpm_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + gpsd_admin(sysadm_t, sysadm_r) ') optional_policy(` @@ -168,6 +437,42 @@ optional_policy(` ') optional_policy(` + hddtemp_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + hostname_run(sysadm_t, sysadm_r) +') + +optional_policy(` + howl_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + hypervkvp_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + i18n_input_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + icecast_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + ifplugd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + inn_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + iodine_admin(sysadm_t, sysadm_r) +') + +optional_policy(` # allow system administrator to use the ipsec script to look # at things (e.g., ipsec auto --status) # probably should create an ipsec_admin role for this kind of thing @@ -183,14 +488,79 @@ optional_policy(` ') optional_policy(` + irqbalance_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + iscsi_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + isnsd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + jabber_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + kdump_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + kerberos_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + kerneloops_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + keystone_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + kismet_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + ksmtuned_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + kudzu_admin(sysadm_t, sysadm_r) kudzu_run(sysadm_t, sysadm_r) ') optional_policy(` + l2tp_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + ldap_admin(sysadm_t, sysadm_r) +') + +optional_policy(` libs_run_ldconfig(sysadm_t, sysadm_r) ') optional_policy(` + lightsquid_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + likewise_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + lircd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + lldpad_admin(sysadm_t, sysadm_r) +') + +optional_policy(` lockdev_role(sysadm_r, sysadm_t) ') @@ -204,16 +574,48 @@ optional_policy(` ') optional_policy(` + lsmd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` lvm_run(sysadm_t, sysadm_r) ') optional_policy(` + mandb_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + mcelog_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + memcached_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + minidlna_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + minissdpd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` modutils_run_depmod(sysadm_t, sysadm_r) modutils_run_insmod(sysadm_t, sysadm_r) modutils_run_update_mods(sysadm_t, sysadm_r) ') optional_policy(` + mongodb_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + monop_admin(sysadm_t, sysadm_r) +') + +optional_policy(` mount_run(sysadm_t, sysadm_r) ') @@ -222,10 +624,22 @@ optional_policy(` ') optional_policy(` + mpd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` mplayer_role(sysadm_r, sysadm_t) ') optional_policy(` + mrtg_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + mscan_admin(sysadm_t, sysadm_r) +') + +optional_policy(` mta_role(sysadm_r, sysadm_t) ') @@ -234,29 +648,122 @@ optional_policy(` ') optional_policy(` + mysql_admin(sysadm_t, sysadm_r) mysql_stream_connect(sysadm_t) ') optional_policy(` + nagios_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + nessus_admin(sysadm_t, sysadm_r) +') + +optional_policy(` netutils_run(sysadm_t, sysadm_r) netutils_run_ping(sysadm_t, sysadm_r) netutils_run_traceroute(sysadm_t, sysadm_r) ') optional_policy(` - ntp_stub() + networkmanager_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + nis_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + nscd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + nslcd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + ntop_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + ntp_admin(sysadm_t, sysadm_r) corenet_udp_bind_ntp_port(sysadm_t) ') optional_policy(` + numad_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + nut_admin(sysadm_t, sysadm_r) +') + +optional_policy(` oav_run_update(sysadm_t, sysadm_r) ') optional_policy(` + oident_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + openct_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + openhpi_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + openvpn_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + openvswitch_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + pacemaker_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + pads_admin(sysadm_t, sysadm_r) +') + +optional_policy(` pcmcia_run_cardctl(sysadm_t, sysadm_r) ') optional_policy(` + pcscd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + pegasus_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + perdition_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + pingd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + pkcs_admin_slotd(sysadm_t, sysadm_r) +') + +optional_policy(` + plymouthd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + polipo_admin(sysadm_t, sysadm_r) +') + +optional_policy(` portage_run(sysadm_t, sysadm_r) portage_run_fetch(sysadm_t, sysadm_r) portage_run_gcc_config(sysadm_t, sysadm_r) @@ -264,18 +771,86 @@ optional_policy(` optional_policy(` portmap_run_helper(sysadm_t, sysadm_r) + portmap_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + portreserve_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + postfix_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + postfixpolicyd_admin(sysadm_t, sysadm_r) ') optional_policy(` + postgrey_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + ppp_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + prelude_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + privoxy_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + psad_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + puppet_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + pxe_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + pyicqt_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + pyzor_admin(sysadm_t, sysadm_r) pyzor_role(sysadm_r, sysadm_t) ') optional_policy(` + qpidd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + quantum_admin(sysadm_t, sysadm_r) +') + +optional_policy(` quota_run(sysadm_t, sysadm_r) + quota_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + rabbitmq_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + radius_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + radvd_admin(sysadm_t, sysadm_r) ') optional_policy(` raid_run_mdadm(sysadm_r, sysadm_t) + raid_admin_mdadm(sysadm_t, sysadm_r) ') optional_policy(` @@ -283,11 +858,49 @@ optional_policy(` ') optional_policy(` + redis_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + resmgr_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + rgmanager_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + rhcs_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + rhsmcertd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + ricci_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + rngd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + roundup_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + rpc_admin(sysadm_t, sysadm_r) rpc_domtrans_nfsd(sysadm_t) ') optional_policy(` + rpcbind_admin(sysadm_t, sysadm_r) +') + +optional_policy(` rpm_run(sysadm_t, sysadm_r) + rpm_admin(sysadm_t, sysadm_r) ') optional_policy(` @@ -295,10 +908,22 @@ optional_policy(` ') optional_policy(` + rsync_admin(sysadm_t, sysadm_r) rsync_exec(sysadm_t) ') optional_policy(` + rtkit_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + rwho_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + samba_admin(sysadm_t, sysadm_r) + samba_run_smbcontrol(sysadm_t, sysadm_r) + samba_run_smbmount(sysadm_t, sysadm_r) samba_run_net(sysadm_t, sysadm_r) samba_run_winbind_helper(sysadm_t, sysadm_r) ') @@ -308,6 +933,18 @@ optional_policy(` ') optional_policy(` + sanlock_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + sasl_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + sblim_admin(sysadm_t, sysadm_r) +') + +optional_policy(` screen_role_template(sysadm, sysadm_r, sysadm_t) ') @@ -316,11 +953,52 @@ optional_policy(` ') optional_policy(` + sensord_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + setroubleshoot_admin(sysadm_t, sysadm_r) +') + +optional_policy(` seutil_run_setfiles(sysadm_t, sysadm_r) seutil_run_runinit(sysadm_t, sysadm_r) ') optional_policy(` + shorewall_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + slpd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + smartmon_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + smokeping_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + smstools_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + snmp_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + snort_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + soundserver_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + spamassassin_admin(sysadm_t, sysadm_r) spamassassin_role(sysadm_r, sysadm_t) ') @@ -329,10 +1007,18 @@ optional_policy(` ') optional_policy(` + sssd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` staff_role_change(sysadm_r) ') optional_policy(` + stapserver_admin(sysadm_t, sysadm_r) +') + +optional_policy(` su_role_template(sysadm, sysadm_r, sysadm_t) ') @@ -341,15 +1027,43 @@ optional_policy(` ') optional_policy(` + svnserve_admin(sysadm_t, sysadm_r) +') + +optional_policy(` sysnet_run_ifconfig(sysadm_t, sysadm_r) sysnet_run_dhcpc(sysadm_t, sysadm_r) ') optional_policy(` + sysstat_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + tcsd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + tftp_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + tgtd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` thunderbird_role(sysadm_r, sysadm_t) ') optional_policy(` + tor_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + transproxy_admin(sysadm_t, sysadm_r) +') + +optional_policy(` tripwire_run_siggen(sysadm_t, sysadm_r) tripwire_run_tripwire(sysadm_t, sysadm_r) tripwire_run_twadmin(sysadm_t, sysadm_r) @@ -365,6 +1079,10 @@ optional_policy(` ') optional_policy(` + ulogd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` uml_role(sysadm_r, sysadm_t) ') @@ -377,6 +1095,10 @@ optional_policy(` ') optional_policy(` + uptime_admin(sysadm_t, sysadm_r) +') + +optional_policy(` usbmodules_run(sysadm_t, sysadm_r) ') @@ -391,6 +1113,31 @@ optional_policy(` ') optional_policy(` + uucp_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + uuidd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + varnishd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + varnishd_admin_varnishlog(sysadm_t, sysadm_r) +') + +optional_policy(` + vdagent_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + vhostmd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + virt_admin(sysadm_t, sysadm_r) virt_stream_connect(sysadm_t) ') @@ -399,10 +1146,22 @@ optional_policy(` ') optional_policy(` + vnstatd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` vpn_run(sysadm_t, sysadm_r) ') optional_policy(` + watchdog_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + wdmd_admin(sysadm_t, sysadm_r) +') + +optional_policy(` webalizer_run(sysadm_t, sysadm_r) ') @@ -419,15 +1178,32 @@ optional_policy(` ') optional_policy(` + xfs_admin(sysadm_t, sysadm_r) +') + +optional_policy(` yam_run(sysadm_t, sysadm_r) ') +optional_policy(` + zabbix_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + zarafa_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + zebra_admin(sysadm_t, sysadm_r) +') + ifndef(`distro_redhat',` optional_policy(` auth_role(sysadm_r, sysadm_t) ') optional_policy(` + bluetooth_admin(sysadm_t, sysadm_r) bluetooth_role(sysadm_r, sysadm_t) ') @@ -468,6 +1244,10 @@ ifndef(`distro_redhat',` ') optional_policy(` + ircd_admin(sysadm_t, sysadm_r) + ') + + optional_policy(` java_role(sysadm_r, sysadm_t) ') ') -- 2.3.6 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* [refpolicy] [PATCH v2 2/2] Add all the missing _admin interfaces to sysadm 2015-06-08 20:38 ` [refpolicy] [PATCH v2 2/2] Add all the missing _admin interfaces to sysadm Jason Zaman @ 2015-06-09 12:40 ` Christopher J. PeBenito 0 siblings, 0 replies; 4+ messages in thread From: Christopher J. PeBenito @ 2015-06-09 12:40 UTC (permalink / raw) To: refpolicy On 6/8/2015 4:38 PM, Jason Zaman wrote: > Lots of the foo_admin() interfaces were not applied to sysadm. This > patch adds all the ones that were missing. > > The tests pass for all combinations of distros, monolithic, > direct_initrc, standard/mcs/mls. Merged. > --- > policy/modules/roles/sysadm.te | 788 ++++++++++++++++++++++++++++++++++++++++- > 1 file changed, 784 insertions(+), 4 deletions(-) > > diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te > index f9919fd..5a95779 100644 > --- a/policy/modules/roles/sysadm.te > +++ b/policy/modules/roles/sysadm.te > @@ -66,10 +66,47 @@ tunable_policy(`allow_ptrace',` > ') > > optional_policy(` > + abrt_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + accountsd_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + acct_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + afs_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + aiccu_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + aide_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + aisexecd_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > amanda_run_recover(sysadm_t, sysadm_r) > ') > > optional_policy(` > + amavis_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + amtu_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + apache_admin(sysadm_t, sysadm_r) > apache_run_helper(sysadm_t, sysadm_r) > #apache_run_all_scripts(sysadm_t, sysadm_r) > #apache_domtrans_sys_script(sysadm_t) > @@ -77,8 +114,12 @@ optional_policy(` > ') > > optional_policy(` > - # cjp: why is this not apm_run_client > - apm_domtrans_client(sysadm_t) > + apcupsd_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + apm_admin(sysadm_t, sysadm_r) > + apm_run_client(sysadm_t, sysadm_r) > ') > > optional_policy(` > @@ -86,6 +127,11 @@ optional_policy(` > ') > > optional_policy(` > + arpwatch_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + asterisk_admin(sysadm_t, sysadm_r) > asterisk_stream_connect(sysadm_t) > ') > > @@ -94,26 +140,104 @@ optional_policy(` > ') > > optional_policy(` > + automount_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + avahi_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > backup_run(sysadm_t, sysadm_r) > ') > > optional_policy(` > bacula_run_admin(sysadm_t, sysadm_r) > + bacula_admin(sysadm_t, sysadm_r) > ') > > optional_policy(` > + bcfg2_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + bind_admin(sysadm_t, sysadm_r) > bind_run_ndc(sysadm_t, sysadm_r) > ') > > optional_policy(` > + bird_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + bitlbee_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + boinc_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > bootloader_run(sysadm_t, sysadm_r) > ') > > optional_policy(` > + bugzilla_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + cachefilesd_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + calamaris_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + callweaver_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + canna_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + ccs_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + certmaster_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + certmonger_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > certwatch_run(sysadm_t, sysadm_r) > ') > > optional_policy(` > + cfengine_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + cgroup_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + chronyd_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + cipe_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + clamav_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > clock_run(sysadm_t, sysadm_r) > ') > > @@ -122,24 +246,101 @@ optional_policy(` > ') > > optional_policy(` > + cmirrord_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + cobbler_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + collectd_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + condor_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > consoletype_run(sysadm_t, sysadm_r) > ') > > optional_policy(` > + corosync_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + couchdb_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + ctdb_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + cups_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + cvs_admin(sysadm_t, sysadm_r) > cvs_exec(sysadm_t) > ') > > optional_policy(` > + cyphesis_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + cyrus_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + dante_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > dcc_run_cdcc(sysadm_t, sysadm_r) > dcc_run_client(sysadm_t, sysadm_r) > dcc_run_dbclean(sysadm_t, sysadm_r) > ') > > optional_policy(` > + ddclient_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > ddcprobe_run(sysadm_t, sysadm_r) > ') > > optional_policy(` > + denyhosts_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + devicekit_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + dhcpd_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + dictd_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + dirmngr_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + distcc_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + dkim_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > dmesg_exec(sysadm_t) > ') > > @@ -148,10 +349,54 @@ optional_policy(` > ') > > optional_policy(` > + dnsmasq_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + dnssectrigger_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + dovecot_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > dpkg_run(sysadm_t, sysadm_r) > ') > > optional_policy(` > + drbd_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + dspam_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + entropyd_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + exim_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + fail2ban_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + fcoe_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + fetchmail_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + firewalld_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > firstboot_run(sysadm_t, sysadm_r) > ') > > @@ -160,7 +405,31 @@ optional_policy(` > ') > > optional_policy(` > - hostname_run(sysadm_t, sysadm_r) > + ftp_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + gatekeeper_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + gdomap_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + glance_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + glusterfs_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + gpm_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + gpsd_admin(sysadm_t, sysadm_r) > ') > > optional_policy(` > @@ -168,6 +437,42 @@ optional_policy(` > ') > > optional_policy(` > + hddtemp_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + hostname_run(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + howl_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + hypervkvp_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + i18n_input_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + icecast_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + ifplugd_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + inn_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + iodine_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > # allow system administrator to use the ipsec script to look > # at things (e.g., ipsec auto --status) > # probably should create an ipsec_admin role for this kind of thing > @@ -183,14 +488,79 @@ optional_policy(` > ') > > optional_policy(` > + irqbalance_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + iscsi_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + isnsd_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + jabber_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + kdump_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + kerberos_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + kerneloops_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + keystone_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + kismet_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + ksmtuned_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + kudzu_admin(sysadm_t, sysadm_r) > kudzu_run(sysadm_t, sysadm_r) > ') > > optional_policy(` > + l2tp_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + ldap_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > libs_run_ldconfig(sysadm_t, sysadm_r) > ') > > optional_policy(` > + lightsquid_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + likewise_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + lircd_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + lldpad_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > lockdev_role(sysadm_r, sysadm_t) > ') > > @@ -204,16 +574,48 @@ optional_policy(` > ') > > optional_policy(` > + lsmd_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > lvm_run(sysadm_t, sysadm_r) > ') > > optional_policy(` > + mandb_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + mcelog_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + memcached_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + minidlna_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + minissdpd_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > modutils_run_depmod(sysadm_t, sysadm_r) > modutils_run_insmod(sysadm_t, sysadm_r) > modutils_run_update_mods(sysadm_t, sysadm_r) > ') > > optional_policy(` > + mongodb_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + monop_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > mount_run(sysadm_t, sysadm_r) > ') > > @@ -222,10 +624,22 @@ optional_policy(` > ') > > optional_policy(` > + mpd_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > mplayer_role(sysadm_r, sysadm_t) > ') > > optional_policy(` > + mrtg_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + mscan_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > mta_role(sysadm_r, sysadm_t) > ') > > @@ -234,29 +648,122 @@ optional_policy(` > ') > > optional_policy(` > + mysql_admin(sysadm_t, sysadm_r) > mysql_stream_connect(sysadm_t) > ') > > optional_policy(` > + nagios_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + nessus_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > netutils_run(sysadm_t, sysadm_r) > netutils_run_ping(sysadm_t, sysadm_r) > netutils_run_traceroute(sysadm_t, sysadm_r) > ') > > optional_policy(` > - ntp_stub() > + networkmanager_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + nis_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + nscd_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + nslcd_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + ntop_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + ntp_admin(sysadm_t, sysadm_r) > corenet_udp_bind_ntp_port(sysadm_t) > ') > > optional_policy(` > + numad_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + nut_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > oav_run_update(sysadm_t, sysadm_r) > ') > > optional_policy(` > + oident_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + openct_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + openhpi_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + openvpn_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + openvswitch_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + pacemaker_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + pads_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > pcmcia_run_cardctl(sysadm_t, sysadm_r) > ') > > optional_policy(` > + pcscd_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + pegasus_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + perdition_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + pingd_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + pkcs_admin_slotd(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + plymouthd_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + polipo_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > portage_run(sysadm_t, sysadm_r) > portage_run_fetch(sysadm_t, sysadm_r) > portage_run_gcc_config(sysadm_t, sysadm_r) > @@ -264,18 +771,86 @@ optional_policy(` > > optional_policy(` > portmap_run_helper(sysadm_t, sysadm_r) > + portmap_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + portreserve_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + postfix_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + postfixpolicyd_admin(sysadm_t, sysadm_r) > ') > > optional_policy(` > + postgrey_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + ppp_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + prelude_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + privoxy_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + psad_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + puppet_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + pxe_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + pyicqt_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + pyzor_admin(sysadm_t, sysadm_r) > pyzor_role(sysadm_r, sysadm_t) > ') > > optional_policy(` > + qpidd_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + quantum_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > quota_run(sysadm_t, sysadm_r) > + quota_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + rabbitmq_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + radius_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + radvd_admin(sysadm_t, sysadm_r) > ') > > optional_policy(` > raid_run_mdadm(sysadm_r, sysadm_t) > + raid_admin_mdadm(sysadm_t, sysadm_r) > ') > > optional_policy(` > @@ -283,11 +858,49 @@ optional_policy(` > ') > > optional_policy(` > + redis_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + resmgr_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + rgmanager_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + rhcs_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + rhsmcertd_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + ricci_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + rngd_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + roundup_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + rpc_admin(sysadm_t, sysadm_r) > rpc_domtrans_nfsd(sysadm_t) > ') > > optional_policy(` > + rpcbind_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > rpm_run(sysadm_t, sysadm_r) > + rpm_admin(sysadm_t, sysadm_r) > ') > > optional_policy(` > @@ -295,10 +908,22 @@ optional_policy(` > ') > > optional_policy(` > + rsync_admin(sysadm_t, sysadm_r) > rsync_exec(sysadm_t) > ') > > optional_policy(` > + rtkit_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + rwho_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + samba_admin(sysadm_t, sysadm_r) > + samba_run_smbcontrol(sysadm_t, sysadm_r) > + samba_run_smbmount(sysadm_t, sysadm_r) > samba_run_net(sysadm_t, sysadm_r) > samba_run_winbind_helper(sysadm_t, sysadm_r) > ') > @@ -308,6 +933,18 @@ optional_policy(` > ') > > optional_policy(` > + sanlock_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + sasl_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + sblim_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > screen_role_template(sysadm, sysadm_r, sysadm_t) > ') > > @@ -316,11 +953,52 @@ optional_policy(` > ') > > optional_policy(` > + sensord_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + setroubleshoot_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > seutil_run_setfiles(sysadm_t, sysadm_r) > seutil_run_runinit(sysadm_t, sysadm_r) > ') > > optional_policy(` > + shorewall_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + slpd_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + smartmon_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + smokeping_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + smstools_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + snmp_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + snort_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + soundserver_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + spamassassin_admin(sysadm_t, sysadm_r) > spamassassin_role(sysadm_r, sysadm_t) > ') > > @@ -329,10 +1007,18 @@ optional_policy(` > ') > > optional_policy(` > + sssd_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > staff_role_change(sysadm_r) > ') > > optional_policy(` > + stapserver_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > su_role_template(sysadm, sysadm_r, sysadm_t) > ') > > @@ -341,15 +1027,43 @@ optional_policy(` > ') > > optional_policy(` > + svnserve_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > sysnet_run_ifconfig(sysadm_t, sysadm_r) > sysnet_run_dhcpc(sysadm_t, sysadm_r) > ') > > optional_policy(` > + sysstat_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + tcsd_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + tftp_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + tgtd_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > thunderbird_role(sysadm_r, sysadm_t) > ') > > optional_policy(` > + tor_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + transproxy_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > tripwire_run_siggen(sysadm_t, sysadm_r) > tripwire_run_tripwire(sysadm_t, sysadm_r) > tripwire_run_twadmin(sysadm_t, sysadm_r) > @@ -365,6 +1079,10 @@ optional_policy(` > ') > > optional_policy(` > + ulogd_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > uml_role(sysadm_r, sysadm_t) > ') > > @@ -377,6 +1095,10 @@ optional_policy(` > ') > > optional_policy(` > + uptime_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > usbmodules_run(sysadm_t, sysadm_r) > ') > > @@ -391,6 +1113,31 @@ optional_policy(` > ') > > optional_policy(` > + uucp_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + uuidd_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + varnishd_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + varnishd_admin_varnishlog(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + vdagent_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + vhostmd_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + virt_admin(sysadm_t, sysadm_r) > virt_stream_connect(sysadm_t) > ') > > @@ -399,10 +1146,22 @@ optional_policy(` > ') > > optional_policy(` > + vnstatd_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > vpn_run(sysadm_t, sysadm_r) > ') > > optional_policy(` > + watchdog_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + wdmd_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > webalizer_run(sysadm_t, sysadm_r) > ') > > @@ -419,15 +1178,32 @@ optional_policy(` > ') > > optional_policy(` > + xfs_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > yam_run(sysadm_t, sysadm_r) > ') > > +optional_policy(` > + zabbix_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + zarafa_admin(sysadm_t, sysadm_r) > +') > + > +optional_policy(` > + zebra_admin(sysadm_t, sysadm_r) > +') > + > ifndef(`distro_redhat',` > optional_policy(` > auth_role(sysadm_r, sysadm_t) > ') > > optional_policy(` > + bluetooth_admin(sysadm_t, sysadm_r) > bluetooth_role(sysadm_r, sysadm_t) > ') > > @@ -468,6 +1244,10 @@ ifndef(`distro_redhat',` > ') > > optional_policy(` > + ircd_admin(sysadm_t, sysadm_r) > + ') > + > + optional_policy(` > java_role(sysadm_r, sysadm_t) > ') > ') > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 4+ messages in thread
* [refpolicy] [PATCH v2 1/2] Introduce iptables_admin 2015-06-08 20:38 [refpolicy] [PATCH v2 1/2] Introduce iptables_admin Jason Zaman 2015-06-08 20:38 ` [refpolicy] [PATCH v2 2/2] Add all the missing _admin interfaces to sysadm Jason Zaman @ 2015-06-09 12:40 ` Christopher J. PeBenito 1 sibling, 0 replies; 4+ messages in thread From: Christopher J. PeBenito @ 2015-06-09 12:40 UTC (permalink / raw) To: refpolicy On 6/8/2015 4:38 PM, Jason Zaman wrote: > --- > policy/modules/roles/sysadm.te | 1 + > policy/modules/system/iptables.if | 39 +++++++++++++++++++++++++++++++++++++++ > 2 files changed, 40 insertions(+) Merged. > diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te > index 8219dea..f9919fd 100644 > --- a/policy/modules/roles/sysadm.te > +++ b/policy/modules/roles/sysadm.te > @@ -178,6 +178,7 @@ optional_policy(` > ') > > optional_policy(` > + iptables_admin(sysadm_t, sysadm_r) > iptables_run(sysadm_t, sysadm_r) > ') > > diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if > index c42fbc3..26ce647 100644 > --- a/policy/modules/system/iptables.if > +++ b/policy/modules/system/iptables.if > @@ -163,3 +163,42 @@ interface(`iptables_manage_config',` > files_search_etc($1) > manage_files_pattern($1, iptables_conf_t, iptables_conf_t) > ') > + > +######################################## > +## <summary> > +## All of the rules required to > +## administrate an iptables > +## environment. > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed access. > +## </summary> > +## </param> > +## <param name="role"> > +## <summary> > +## Role allowed access. > +## </summary> > +## </param> > +## <rolecap/> > +# > +interface(`iptables_admin',` > + gen_require(` > + type iptables_t, iptables_initrc_exec_t, iptables_conf_t; > + type iptables_tmp_t, iptables_var_run_t; > + ') > + > + allow $1 iptables_t:process { ptrace signal_perms }; > + ps_process_pattern($1, iptables_t) > + > + init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t) > + > + files_list_etc($1) > + admin_pattern($1, iptables_conf_t) > + > + files_list_tmp($1) > + admin_pattern($1, iptables_tmp_t) > + > + files_list_pids($1) > + admin_pattern($1, iptables_var_run_t) > +') > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-06-09 12:40 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2015-06-08 20:38 [refpolicy] [PATCH v2 1/2] Introduce iptables_admin Jason Zaman 2015-06-08 20:38 ` [refpolicy] [PATCH v2 2/2] Add all the missing _admin interfaces to sysadm Jason Zaman 2015-06-09 12:40 ` Christopher J. PeBenito 2015-06-09 12:40 ` [refpolicy] [PATCH v2 1/2] Introduce iptables_admin Christopher J. PeBenito
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.