* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/roles/
@ 2015-06-09 13:24 Sven Vermeulen
0 siblings, 0 replies; 5+ messages in thread
From: Sven Vermeulen @ 2015-06-09 13:24 UTC (permalink / raw
To: gentoo-commits
commit: bfd35800dc901a938a2aef452538cf417e2861e5
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat May 30 15:54:07 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat May 30 16:00:29 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bfd35800
Add kdeconnect role entries
bug 536672
policy/modules/roles/staff.te | 5 +++++
policy/modules/roles/unprivuser.te | 5 +++++
2 files changed, 10 insertions(+)
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 13ecf4d..30e13d2 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -222,6 +222,11 @@ ifdef(`distro_gentoo',`
')
optional_policy(`
+ kdeconnect_role(staff_r, staff_t)
+ kdeconnect_dbus_chat(staff_t)
+ ')
+
+ optional_policy(`
links_role(staff_r, staff_t)
')
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 93e2d60..eca14f1 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -202,6 +202,11 @@ ifdef(`distro_gentoo',`
')
optional_policy(`
+ kdeconnect_role(user_r, user_t)
+ kdeconnect_dbus_chat(user_t)
+ ')
+
+ optional_policy(`
links_role(user_r, user_t)
')
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/roles/
@ 2015-06-09 13:34 Sven Vermeulen
0 siblings, 0 replies; 5+ messages in thread
From: Sven Vermeulen @ 2015-06-09 13:34 UTC (permalink / raw
To: gentoo-commits
commit: 9af1d958667a91d353ce389ed5e4449750d54142
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Jun 8 20:38:22 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Jun 9 13:06:34 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9af1d958
Add all the missing _admin interfaces to sysadm
Lots of the foo_admin() interfaces were not applied to sysadm. This
patch adds all the ones that were missing.
The tests pass for all combinations of distros, monolithic,
direct_initrc, standard/mcs/mls.
policy/modules/roles/sysadm.te | 910 ++++++++++++++++++++++++++++++++++++++---
1 file changed, 845 insertions(+), 65 deletions(-)
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 9169215..4ece2da 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -66,216 +66,791 @@ tunable_policy(`allow_ptrace',`
')
optional_policy(`
+ abrt_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ accountsd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ acct_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ afs_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ aiccu_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ aide_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ aisexecd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
amanda_run_recover(sysadm_t, sysadm_r)
')
optional_policy(`
- apache_run_helper(sysadm_t, sysadm_r)
- #apache_run_all_scripts(sysadm_t, sysadm_r)
- #apache_domtrans_sys_script(sysadm_t)
- apache_role(sysadm_r, sysadm_t)
+ amavis_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ amtu_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ apache_admin(sysadm_t, sysadm_r)
+ apache_run_helper(sysadm_t, sysadm_r)
+ #apache_run_all_scripts(sysadm_t, sysadm_r)
+ #apache_domtrans_sys_script(sysadm_t)
+ apache_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+ apcupsd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ apm_admin(sysadm_t, sysadm_r)
+ apm_run_client(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ apt_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ arpwatch_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ asterisk_admin(sysadm_t, sysadm_r)
+ asterisk_stream_connect(sysadm_t)
+')
+
+optional_policy(`
+ auditadm_role_change(sysadm_r)
+')
+
+optional_policy(`
+ automount_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ avahi_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ backup_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ bacula_run_admin(sysadm_t, sysadm_r)
+ bacula_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ bcfg2_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ bind_admin(sysadm_t, sysadm_r)
+ bind_run_ndc(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ bird_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ bitlbee_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ boinc_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ bootloader_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ bugzilla_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ cachefilesd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ calamaris_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ callweaver_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ canna_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ ccs_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ certmaster_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ certmonger_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ certwatch_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ cfengine_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ cgroup_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ chronyd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ cipe_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ clamav_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ clock_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ clockspeed_run_cli(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ cmirrord_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ cobbler_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ collectd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ condor_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ consoletype_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ corosync_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ couchdb_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ ctdb_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ cups_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ cvs_admin(sysadm_t, sysadm_r)
+ cvs_exec(sysadm_t)
+')
+
+optional_policy(`
+ cyphesis_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ cyrus_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ dante_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ dcc_run_cdcc(sysadm_t, sysadm_r)
+ dcc_run_client(sysadm_t, sysadm_r)
+ dcc_run_dbclean(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ ddclient_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ ddcprobe_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ denyhosts_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ devicekit_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ dhcpd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ dictd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ dirmngr_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ distcc_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ dkim_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ dmesg_exec(sysadm_t)
+')
+
+optional_policy(`
+ dmidecode_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ dnsmasq_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ dnssectrigger_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ dovecot_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ dpkg_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ drbd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ dspam_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ entropyd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ exim_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ fail2ban_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ fcoe_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ fetchmail_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ firewalld_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ firstboot_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ fstools_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ ftp_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ gatekeeper_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ gdomap_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ glance_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ glusterfs_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ gpm_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ gpsd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ hadoop_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+ hddtemp_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ hostname_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ howl_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ hypervkvp_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ i18n_input_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ icecast_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ ifplugd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ inn_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ iodine_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ # allow system administrator to use the ipsec script to look
+ # at things (e.g., ipsec auto --status)
+ # probably should create an ipsec_admin role for this kind of thing
+ ipsec_exec_mgmt(sysadm_t)
+ ipsec_stream_connect(sysadm_t)
+ # for lsof
+ ipsec_getattr_key_sockets(sysadm_t)
+')
+
+optional_policy(`
+ iptables_admin(sysadm_t, sysadm_r)
+ iptables_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ irqbalance_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ iscsi_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ isnsd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ jabber_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ kdump_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ kerberos_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ kerneloops_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ keystone_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ kismet_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ ksmtuned_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ kudzu_admin(sysadm_t, sysadm_r)
+ kudzu_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ l2tp_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ ldap_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ libs_run_ldconfig(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ lightsquid_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ likewise_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ lircd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ lldpad_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ lockdev_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+ logrotate_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ lpd_run_checkpc(sysadm_t, sysadm_r)
+ lpd_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+ lsmd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ lvm_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ mandb_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ mcelog_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ memcached_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ minidlna_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ minissdpd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ modutils_run_depmod(sysadm_t, sysadm_r)
+ modutils_run_insmod(sysadm_t, sysadm_r)
+ modutils_run_update_mods(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ mongodb_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ monop_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ mount_run(sysadm_t, sysadm_r)
')
optional_policy(`
- # cjp: why is this not apm_run_client
- apm_domtrans_client(sysadm_t)
+ mozilla_role(sysadm_r, sysadm_t)
')
optional_policy(`
- apt_run(sysadm_t, sysadm_r)
+ mpd_admin(sysadm_t, sysadm_r)
')
optional_policy(`
- asterisk_stream_connect(sysadm_t)
+ mplayer_role(sysadm_r, sysadm_t)
')
optional_policy(`
- auditadm_role_change(sysadm_r)
+ mrtg_admin(sysadm_t, sysadm_r)
')
optional_policy(`
- backup_run(sysadm_t, sysadm_r)
+ mscan_admin(sysadm_t, sysadm_r)
')
optional_policy(`
- bacula_run_admin(sysadm_t, sysadm_r)
+ mta_role(sysadm_r, sysadm_t)
')
optional_policy(`
- bind_run_ndc(sysadm_t, sysadm_r)
+ munin_stream_connect(sysadm_t)
')
optional_policy(`
- bootloader_run(sysadm_t, sysadm_r)
+ mysql_admin(sysadm_t, sysadm_r)
+ mysql_stream_connect(sysadm_t)
')
optional_policy(`
- certwatch_run(sysadm_t, sysadm_r)
+ nagios_admin(sysadm_t, sysadm_r)
')
optional_policy(`
- clock_run(sysadm_t, sysadm_r)
+ nessus_admin(sysadm_t, sysadm_r)
')
optional_policy(`
- clockspeed_run_cli(sysadm_t, sysadm_r)
+ netutils_run(sysadm_t, sysadm_r)
+ netutils_run_ping(sysadm_t, sysadm_r)
+ netutils_run_traceroute(sysadm_t, sysadm_r)
')
optional_policy(`
- consoletype_run(sysadm_t, sysadm_r)
+ networkmanager_admin(sysadm_t, sysadm_r)
')
optional_policy(`
- cvs_exec(sysadm_t)
+ nis_admin(sysadm_t, sysadm_r)
')
optional_policy(`
- dcc_run_cdcc(sysadm_t, sysadm_r)
- dcc_run_client(sysadm_t, sysadm_r)
- dcc_run_dbclean(sysadm_t, sysadm_r)
+ nscd_admin(sysadm_t, sysadm_r)
')
optional_policy(`
- ddcprobe_run(sysadm_t, sysadm_r)
+ nslcd_admin(sysadm_t, sysadm_r)
')
optional_policy(`
- dmesg_exec(sysadm_t)
+ ntop_admin(sysadm_t, sysadm_r)
')
optional_policy(`
- dmidecode_run(sysadm_t, sysadm_r)
+ ntp_admin(sysadm_t, sysadm_r)
+ corenet_udp_bind_ntp_port(sysadm_t)
')
optional_policy(`
- dpkg_run(sysadm_t, sysadm_r)
+ numad_admin(sysadm_t, sysadm_r)
')
optional_policy(`
- firstboot_run(sysadm_t, sysadm_r)
+ nut_admin(sysadm_t, sysadm_r)
')
optional_policy(`
- fstools_run(sysadm_t, sysadm_r)
+ oav_run_update(sysadm_t, sysadm_r)
')
optional_policy(`
- hostname_run(sysadm_t, sysadm_r)
+ oident_admin(sysadm_t, sysadm_r)
')
optional_policy(`
- hadoop_role(sysadm_r, sysadm_t)
+ openct_admin(sysadm_t, sysadm_r)
')
optional_policy(`
- # allow system administrator to use the ipsec script to look
- # at things (e.g., ipsec auto --status)
- # probably should create an ipsec_admin role for this kind of thing
- ipsec_exec_mgmt(sysadm_t)
- ipsec_stream_connect(sysadm_t)
- # for lsof
- ipsec_getattr_key_sockets(sysadm_t)
+ openhpi_admin(sysadm_t, sysadm_r)
')
optional_policy(`
- iptables_admin(sysadm_t, sysadm_r)
- iptables_run(sysadm_t, sysadm_r)
+ openvpn_admin(sysadm_t, sysadm_r)
')
optional_policy(`
- kudzu_run(sysadm_t, sysadm_r)
+ openvswitch_admin(sysadm_t, sysadm_r)
')
optional_policy(`
- libs_run_ldconfig(sysadm_t, sysadm_r)
+ pacemaker_admin(sysadm_t, sysadm_r)
')
optional_policy(`
- lockdev_role(sysadm_r, sysadm_t)
+ pads_admin(sysadm_t, sysadm_r)
')
optional_policy(`
- logrotate_run(sysadm_t, sysadm_r)
+ pcmcia_run_cardctl(sysadm_t, sysadm_r)
')
optional_policy(`
- lpd_run_checkpc(sysadm_t, sysadm_r)
- lpd_role(sysadm_r, sysadm_t)
+ pcscd_admin(sysadm_t, sysadm_r)
')
optional_policy(`
- lvm_run(sysadm_t, sysadm_r)
+ pegasus_admin(sysadm_t, sysadm_r)
')
optional_policy(`
- modutils_run_depmod(sysadm_t, sysadm_r)
- modutils_run_insmod(sysadm_t, sysadm_r)
- modutils_run_update_mods(sysadm_t, sysadm_r)
+ perdition_admin(sysadm_t, sysadm_r)
')
optional_policy(`
- mount_run(sysadm_t, sysadm_r)
+ pingd_admin(sysadm_t, sysadm_r)
')
optional_policy(`
- mozilla_role(sysadm_r, sysadm_t)
+ pkcs_admin_slotd(sysadm_t, sysadm_r)
')
optional_policy(`
- mplayer_role(sysadm_r, sysadm_t)
+ plymouthd_admin(sysadm_t, sysadm_r)
')
optional_policy(`
- mta_role(sysadm_r, sysadm_t)
+ polipo_admin(sysadm_t, sysadm_r)
')
optional_policy(`
- munin_stream_connect(sysadm_t)
+ portage_run(sysadm_t, sysadm_r)
+ portage_run_fetch(sysadm_t, sysadm_r)
+ portage_run_gcc_config(sysadm_t, sysadm_r)
')
optional_policy(`
- mysql_stream_connect(sysadm_t)
+ portmap_run_helper(sysadm_t, sysadm_r)
+ portmap_admin(sysadm_t, sysadm_r)
')
optional_policy(`
- netutils_run(sysadm_t, sysadm_r)
- netutils_run_ping(sysadm_t, sysadm_r)
- netutils_run_traceroute(sysadm_t, sysadm_r)
+ portreserve_admin(sysadm_t, sysadm_r)
')
optional_policy(`
- ntp_stub()
- corenet_udp_bind_ntp_port(sysadm_t)
+ postfix_admin(sysadm_t, sysadm_r)
')
optional_policy(`
- oav_run_update(sysadm_t, sysadm_r)
+ postfixpolicyd_admin(sysadm_t, sysadm_r)
')
optional_policy(`
- pcmcia_run_cardctl(sysadm_t, sysadm_r)
+ postgrey_admin(sysadm_t, sysadm_r)
')
optional_policy(`
- portage_run(sysadm_t, sysadm_r)
- portage_run_fetch(sysadm_t, sysadm_r)
- portage_run_gcc_config(sysadm_t, sysadm_r)
+ ppp_admin(sysadm_t, sysadm_r)
')
optional_policy(`
- portmap_run_helper(sysadm_t, sysadm_r)
+ prelude_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ privoxy_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ psad_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ puppet_admin(sysadm_t, sysadm_r)
')
optional_policy(`
+ pxe_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ pyicqt_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ pyzor_admin(sysadm_t, sysadm_r)
pyzor_role(sysadm_r, sysadm_t)
')
optional_policy(`
+ qpidd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ quantum_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
quota_run(sysadm_t, sysadm_r)
+ quota_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ rabbitmq_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ radius_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ radvd_admin(sysadm_t, sysadm_r)
')
optional_policy(`
raid_run_mdadm(sysadm_r, sysadm_t)
+ raid_admin_mdadm(sysadm_t, sysadm_r)
')
optional_policy(`
@@ -283,11 +858,49 @@ optional_policy(`
')
optional_policy(`
+ redis_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ resmgr_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ rgmanager_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ rhcs_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ rhsmcertd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ ricci_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ rngd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ roundup_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ rpc_admin(sysadm_t, sysadm_r)
rpc_domtrans_nfsd(sysadm_t)
')
optional_policy(`
+ rpcbind_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
rpm_run(sysadm_t, sysadm_r)
+ rpm_admin(sysadm_t, sysadm_r)
')
optional_policy(`
@@ -295,10 +908,22 @@ optional_policy(`
')
optional_policy(`
+ rsync_admin(sysadm_t, sysadm_r)
rsync_exec(sysadm_t)
')
optional_policy(`
+ rtkit_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ rwho_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ samba_admin(sysadm_t, sysadm_r)
+ samba_run_smbcontrol(sysadm_t, sysadm_r)
+ samba_run_smbmount(sysadm_t, sysadm_r)
samba_run_net(sysadm_t, sysadm_r)
samba_run_winbind_helper(sysadm_t, sysadm_r)
')
@@ -308,6 +933,18 @@ optional_policy(`
')
optional_policy(`
+ sanlock_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ sasl_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ sblim_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
screen_role_template(sysadm, sysadm_r, sysadm_t)
')
@@ -316,11 +953,52 @@ optional_policy(`
')
optional_policy(`
+ sensord_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ setroubleshoot_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
seutil_run_setfiles(sysadm_t, sysadm_r)
seutil_run_runinit(sysadm_t, sysadm_r)
')
optional_policy(`
+ shorewall_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ slpd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ smartmon_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ smokeping_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ smstools_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ snmp_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ snort_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ soundserver_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ spamassassin_admin(sysadm_t, sysadm_r)
spamassassin_role(sysadm_r, sysadm_t)
')
@@ -329,10 +1007,18 @@ optional_policy(`
')
optional_policy(`
+ sssd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
staff_role_change(sysadm_r)
')
optional_policy(`
+ stapserver_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
su_role_template(sysadm, sysadm_r, sysadm_t)
')
@@ -341,15 +1027,43 @@ optional_policy(`
')
optional_policy(`
+ svnserve_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
sysnet_run_ifconfig(sysadm_t, sysadm_r)
sysnet_run_dhcpc(sysadm_t, sysadm_r)
')
optional_policy(`
+ sysstat_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ tcsd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ tftp_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ tgtd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
thunderbird_role(sysadm_r, sysadm_t)
')
optional_policy(`
+ tor_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ transproxy_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
tripwire_run_siggen(sysadm_t, sysadm_r)
tripwire_run_tripwire(sysadm_t, sysadm_r)
tripwire_run_twadmin(sysadm_t, sysadm_r)
@@ -365,6 +1079,10 @@ optional_policy(`
')
optional_policy(`
+ ulogd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
uml_role(sysadm_r, sysadm_t)
')
@@ -377,6 +1095,10 @@ optional_policy(`
')
optional_policy(`
+ uptime_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
usbmodules_run(sysadm_t, sysadm_r)
')
@@ -391,6 +1113,31 @@ optional_policy(`
')
optional_policy(`
+ uucp_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ uuidd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ varnishd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ varnishd_admin_varnishlog(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ vdagent_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ vhostmd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ virt_admin(sysadm_t, sysadm_r)
virt_stream_connect(sysadm_t)
')
@@ -399,10 +1146,22 @@ optional_policy(`
')
optional_policy(`
+ vnstatd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
vpn_run(sysadm_t, sysadm_r)
')
optional_policy(`
+ watchdog_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ wdmd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
webalizer_run(sysadm_t, sysadm_r)
')
@@ -419,15 +1178,32 @@ optional_policy(`
')
optional_policy(`
+ xfs_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
yam_run(sysadm_t, sysadm_r)
')
+optional_policy(`
+ zabbix_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ zarafa_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ zebra_admin(sysadm_t, sysadm_r)
+')
+
ifndef(`distro_redhat',`
optional_policy(`
auth_role(sysadm_r, sysadm_t)
')
optional_policy(`
+ bluetooth_admin(sysadm_t, sysadm_r)
bluetooth_role(sysadm_r, sysadm_t)
')
@@ -468,6 +1244,10 @@ ifndef(`distro_redhat',`
')
optional_policy(`
+ ircd_admin(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
java_role(sysadm_r, sysadm_t)
')
')
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/roles/
@ 2015-06-11 16:04 Sven Vermeulen
0 siblings, 0 replies; 5+ messages in thread
From: Sven Vermeulen @ 2015-06-11 16:04 UTC (permalink / raw
To: gentoo-commits
commit: d0fe826f850a149ba60f855049fb81c70804be23
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jun 9 14:01:58 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Jun 9 14:36:29 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d0fe826f
sysadm: add gentoo _admin interfaces to sysadm.te
policy/modules/roles/sysadm.te | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 1963c88..6a91344 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1270,6 +1270,10 @@ ifdef(`distro_gentoo',`
')
optional_policy(`
+ bitcoin_admin(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
# Bug 529208
dmesg_run(sysadm_t, sysadm_r)
')
@@ -1287,6 +1291,10 @@ ifdef(`distro_gentoo',`
')
optional_policy(`
+ logsentry_admin(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
mutt_role(sysadm_r, sysadm_t)
')
@@ -1299,6 +1307,10 @@ ifdef(`distro_gentoo',`
')
optional_policy(`
+ phpfpm_admin(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
postgresql_admin(sysadm_t, sysadm_r)
postgresql_exec(sysadm_t)
')
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/roles/
@ 2015-06-11 16:04 Sven Vermeulen
0 siblings, 0 replies; 5+ messages in thread
From: Sven Vermeulen @ 2015-06-11 16:04 UTC (permalink / raw
To: gentoo-commits
commit: ded2b53d98e2ce1066bb21aadf87432bf670321b
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jun 9 13:46:24 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Jun 9 14:36:29 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ded2b53d
Remove _admin interfaces from ifdef gentoo section
They are now upstream.
policy/modules/roles/sysadm.te | 36 ------------------------------------
1 file changed, 36 deletions(-)
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 13b48c6..1963c88 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1270,23 +1270,11 @@ ifdef(`distro_gentoo',`
')
optional_policy(`
- bind_admin(sysadm_t, sysadm_r)
- ')
-
- optional_policy(`
# Bug 529208
dmesg_run(sysadm_t, sysadm_r)
')
optional_policy(`
- dnsmasq_admin(sysadm_t, sysadm_r)
- ')
-
- optional_policy(`
- dovecot_admin(sysadm_t, sysadm_r)
- ')
-
- optional_policy(`
dracut_run(sysadm_t, sysadm_r)
')
@@ -1311,27 +1299,11 @@ ifdef(`distro_gentoo',`
')
optional_policy(`
- ntp_admin(sysadm_t, sysadm_r)
- ')
-
- optional_policy(`
- openvpn_admin(sysadm_t, sysadm_r)
- ')
-
- optional_policy(`
- postfix_admin(sysadm_t, sysadm_r)
- ')
-
- optional_policy(`
postgresql_admin(sysadm_t, sysadm_r)
postgresql_exec(sysadm_t)
')
optional_policy(`
- puppet_admin(sysadm_t, sysadm_r)
- ')
-
- optional_policy(`
qemu_read_state(sysadm_t)
qemu_signal(sysadm_t)
qemu_kill(sysadm_t)
@@ -1340,10 +1312,6 @@ ifdef(`distro_gentoo',`
')
optional_policy(`
- rpc_admin(sysadm_t, sysadm_r)
- ')
-
- optional_policy(`
rpcbind_stream_connect(sysadm_t)
')
@@ -1362,10 +1330,6 @@ ifdef(`distro_gentoo',`
')
optional_policy(`
- shorewall_admin(sysadm_t, sysadm_r)
- ')
-
- optional_policy(`
uwsgi_admin(sysadm_t, sysadm_r)
')
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/roles/
@ 2015-12-02 15:45 Sven Vermeulen
0 siblings, 0 replies; 5+ messages in thread
From: Sven Vermeulen @ 2015-12-02 15:45 UTC (permalink / raw
To: gentoo-commits
commit: a787ebb2610fa8e056cff06b97239a4493767ed6
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Oct 20 16:53:58 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 26 03:53:43 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a787ebb2
Add rules for sysadm_r to manage the services.
policy/modules/roles/sysadm.te | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 40420c7..70fcf14 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -34,6 +34,15 @@ ubac_file_exempt(sysadm_t)
ubac_fd_exempt(sysadm_t)
init_exec(sysadm_t)
+init_get_system_status(sysadm_t)
+init_disable(sysadm_t)
+init_enable(sysadm_t)
+init_reload(sysadm_t)
+init_reboot_system(sysadm_t)
+init_shutdown_system(sysadm_t)
+init_start_generic_units(sysadm_t)
+init_stop_generic_units(sysadm_t)
+init_reload_generic_units(sysadm_t)
# Add/remove user home directories
userdom_manage_user_home_dirs(sysadm_t)
^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2015-12-02 15:45 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-06-09 13:34 [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/roles/ Sven Vermeulen
-- strict thread matches above, loose matches on Subject: below --
2015-12-02 15:45 Sven Vermeulen
2015-06-11 16:04 Sven Vermeulen
2015-06-11 16:04 Sven Vermeulen
2015-06-09 13:24 Sven Vermeulen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox