37 lines
759 B
Plaintext
37 lines
759 B
Plaintext
policy_module(sau, 0.1)
|
|
|
|
gen_require(`
|
|
type system_cronjob_t;
|
|
type sysadm_t;
|
|
|
|
role sysadm_r;
|
|
role system_r;
|
|
')
|
|
|
|
type sau_t;
|
|
type sau_exec_t;
|
|
type sau_config_t;
|
|
|
|
domain_type(sau_t)
|
|
domain_entry_file(sau_t, sau_exec_t)
|
|
files_config_file(sau_config_t)
|
|
read_files_pattern(sau_t, etc_t, sau_config_t);
|
|
|
|
role sysadm_r types sau_t;
|
|
role system_r types sau_t;
|
|
|
|
domain_auto_transition_pattern(sysadm_t, sau_exec_t, sau_t)
|
|
domain_auto_transition_pattern(system_cronjob_t, sau_exec_t, sau_t)
|
|
|
|
# this should be fixed, but I don't know enough selinux magic to restrict this
|
|
# while still allowing it to inspect all open files for all processes
|
|
unconfined_domain_noaudit(sau_t)
|
|
|
|
# Gentoo specific
|
|
portage_domtrans(sau_t)
|
|
|
|
|
|
# postfix
|
|
postfix_admin(sau_t, system_r)
|
|
|