Current File : //usr/share/selinux/devel/include/admin/sudo.if

## <summary>Execute a command with a substitute user</summary>

#######################################
## <summary>
##	The role template for the sudo module.
## </summary>
## <desc>
##	<p>
##	This template creates a derived domain which is allowed
##	to change the linux user id, to run commands as a different
##	user.
##	</p>
## </desc>
## <param name="role_prefix">
##	<summary>
##	The prefix of the user role (e.g., user
##	is the prefix for user_r).
##	</summary>
## </param>
## <param name="user_role">
##	<summary>
##	The user role.
##	</summary>
## </param>
## <param name="user_domain">
##	<summary>
##	The user domain associated with the role.
##	</summary>
## </param>
#
template(`sudo_role_template',`

	gen_require(`
		type sudo_exec_t;
		type sudo_db_t;
		attribute sudodomain;
	')

	##############################
	#
	# Declarations
	#

	type $1_sudo_t, sudodomain; 
	userdom_user_application_domain($1_sudo_t, sudo_exec_t)
	domain_interactive_fd($1_sudo_t)
	domain_role_change_exemption($1_sudo_t)
	role $2 types $1_sudo_t;
	userdom_home_manager($1_sudo_t)

	type $1_sudo_tmp_t;
	files_tmp_file($1_sudo_tmp_t)

	allow $1_sudo_t $1_sudo_tmp_t:file manage_file_perms;
	files_tmp_filetrans($1_sudo_t, $1_sudo_tmp_t, file)

	allow $1_sudo_t $3:dir search_dir_perms;;
	allow $1_sudo_t $3:file read_file_perms;;
	allow $1_sudo_t $3:key search;

	allow $1_sudo_t $1_t:unix_stream_socket { connectto read write };

	# Enter this derived domain from the user domain
	domtrans_pattern($3, sudo_exec_t, $1_sudo_t)

	# By default, revert to the calling domain when a shell is executed.
	corecmd_shell_domtrans($1_sudo_t, $3)
	corecmd_bin_domtrans($1_sudo_t, $3)
	userdom_domtrans_user_home($1_sudo_t, $3)
	userdom_domtrans_user_tmp($1_sudo_t, $3)
	domain_entry_file($3, sudo_exec_t)
	domain_auto_transition_pattern($1_sudo_t, sudo_exec_t, $3)

	allow $3 $1_sudo_t:fd use;
	allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms;
	allow $3 $1_sudo_t:process signal_perms;

	kernel_read_system_state($1_sudo_t)
	seutil_libselinux_linked($1_sudo_t)

	auth_run_chk_passwd($1_sudo_t, $2)
	auth_use_nsswitch($1_sudo_t)

	logging_send_syslog_msg($1_sudo_t)
    logging_read_syslog_pid($1_sudo_t)

    term_use_generic_ptys($1_sudo_t)
    term_setattr_generic_ptys($1_sudo_t)

	optional_policy(`
		mta_role($2, $1_sudo_t)
	')

    optional_policy(`
	    rpm_run($1_sudo_t, $2)
    ')

	optional_policy(`
		dmidecode_domtrans($1_sudo_t)
	')

	optional_policy(`
	    	kerberos_manage_host_rcache($1_sudo_t)
		kerberos_read_config($1_sudo_t)
	')

	optional_policy(`
		netutils_domtrans($1_sudo_t)
		netutils_run_traceroute($1_sudo_t, $2)
	')

	optional_policy(`
		systemd_domtrans_systemctl($1_sudo_t, $3)
		systemd_systemctl_entrypoint($3)
	')

	optional_policy(`
		userdom_write_user_tmp_sockets($1_sudo_t)
	')

	optional_policy(`
		usermanage_domtrans_passwd($1_sudo_t)
	')
')

########################################
## <summary>
##	Send a SIGCHLD signal to the sudo domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`sudo_sigchld',`
	gen_require(`
		attribute sudodomain;
	')

	allow $1 sudodomain:process sigchld;
')

#######################################
## <summary>
##  Allow execute sudo in called domain.
##  This interfaces is added for nova-stack policy.
## </summary>
## <param name="domain">
##  <summary>
##  Domain allowed access.
##  </summary>
## </param>
#
interface(`sudo_exec',`
    gen_require(`
        type sudo_exec_t;
    ')

	can_exec($1, sudo_exec_t)
')

######################################
## <summary>
##  Allow to manage sudo database in called domain.
## </summary>
## <param name="domain">
##  <summary>
##  Domain allowed access.
##  </summary>
## </param>
#
interface(`sudo_manage_db',`
    gen_require(`
        type sudo_db_t;
    ')
    
    manage_dirs_pattern($1, sudo_db_t, sudo_db_t)
    manage_files_pattern($1, sudo_db_t, sudo_db_t)
')

########################################
## <summary>
## 	Transition to sudo log named content
## </summary>
## <param name="domain">
## <summary>
##	Domain allowed access.
## </summary>
## </param>
#
interface(`sudo_filetrans_named_content_log',`
	gen_require(`
		type sudo_log_t;
	')

	logging_log_filetrans($1, sudo_log_t, file, "sudo.log")
')