[selinux-policy: 1117/3172] add userhelper

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 20:41:35 UTC 2010 

commit 7c2f5a82ae129c5eef9611036e180eeb453aaa6a
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Wed Jan 18 16:40:04 2006 +0000

    add userhelper

 refpolicy/Changelog                             |    1 +
 refpolicy/policy/modules/apps/userhelper.fc     |    9 +
 refpolicy/policy/modules/apps/userhelper.if     |  217 +++++++++++++++++++++++
 refpolicy/policy/modules/apps/userhelper.te     |   13 ++
 refpolicy/policy/modules/kernel/corecommands.if |  100 +++++++++--
 refpolicy/policy/modules/kernel/domain.if       |   17 ++
 refpolicy/policy/modules/services/xdm.te        |    6 +-
 refpolicy/policy/modules/system/authlogin.if    |   38 ++++
 refpolicy/policy/modules/system/init.if         |   16 ++
 refpolicy/policy/modules/system/userdomain.if   |  134 ++++++++++++++
 10 files changed, 538 insertions(+), 13 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index fbe4f5c..61fef3c 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -1,5 +1,6 @@
 - Added modules:
 	portage
+	userhelper
 	usernetctl
 
 * Tue Jan 17 2006 Chris PeBenito <selinux at tresys.com> - 20060117
diff --git a/refpolicy/policy/modules/apps/userhelper.fc b/refpolicy/policy/modules/apps/userhelper.fc
new file mode 100644
index 0000000..0cd9dc4
--- /dev/null
+++ b/refpolicy/policy/modules/apps/userhelper.fc
@@ -0,0 +1,9 @@
+#
+# /etc
+#
+/etc/security/console.apps(/.*)?		gen_context(system_u:object_r:userhelper_conf_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/userhelper		--	gen_context(system_u:object_r:userhelper_exec_t,s0)
diff --git a/refpolicy/policy/modules/apps/userhelper.if b/refpolicy/policy/modules/apps/userhelper.if
new file mode 100644
index 0000000..440bf9e
--- /dev/null
+++ b/refpolicy/policy/modules/apps/userhelper.if
@@ -0,0 +1,217 @@
+## <summary>SELinux utility to run a shell with a new role</summary>
+
+#######################################
+## <summary>
+##	The per user domain template for the userhelper module.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for userhelper.
+##	</p>
+##	<p>
+##	This template is invoked automatically for each user, and
+##	generally does not need to be invoked directly
+##	by policy writers.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+## </param>
+## <param name="user_domain">
+##	The type of the user domain.
+## </param>
+## <param name="user_role">
+##	The role associated with the user domain.
+## </param>
+#
+template(`userhelper_per_userdomain_template',`
+	gen_require(`
+		type userhelper_exec_t, userhelper_conf_t;
+	')
+
+	########################################
+	#
+	# Declarations
+	#
+	type $1_userhelper_t;
+	domain_type($1_userhelper_t)
+	domain_entry_file($1_userhelper_t,userhelper_exec_t)
+	domain_role_change_exempt($1_userhelper_t)
+	domain_obj_id_change_exempt($1_userhelper_t)
+	domain_wide_inherit_fd($1_userhelper_t)
+	domain_subj_id_change_exempt($1_userhelper_t)
+	role system_r types $1_userhelper_t;
+	
+	########################################
+	#
+	# Local policy
+	#
+	allow $1_userhelper_t self:capability { setuid setgid net_bind_service dac_override chown sys_tty_config };
+	allow $1_userhelper_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+	allow $1_userhelper_t self:fd use;
+	allow $1_userhelper_t self:fifo_file rw_file_perms;
+	allow $1_userhelper_t self:shm create_shm_perms;
+	allow $1_userhelper_t self:sem create_sem_perms;
+	allow $1_userhelper_t self:msgq create_msgq_perms;
+	allow $1_userhelper_t self:msg { send receive };
+	allow $1_userhelper_t self:unix_dgram_socket create_socket_perms;
+	allow $1_userhelper_t self:unix_stream_socket create_stream_socket_perms;
+	allow $1_userhelper_t self:unix_dgram_socket sendto;
+	allow $1_userhelper_t self:unix_stream_socket connectto;
+	allow $1_userhelper_t self:sock_file r_file_perms;
+
+	#Transition to the derived domain.
+	domain_auto_trans($2,userhelper_exec_t,$1_userhelper_t)
+	allow $2 $1_userhelper_t:fd use;
+	allow $1_userhelper_t $2:fd use;
+	allow $1_userhelper_t $2:fifo_file rw_file_perms;
+	allow $1_userhelper_t $2:process sigchld;
+
+	allow $1_userhelper_t self:process setexec;
+
+	allow $1_userhelper_t userhelper_conf_t:file rw_file_perms;
+	allow $1_userhelper_t userhelper_conf_t:dir rw_dir_perms;
+
+	can_exec($1_userhelper_t, userhelper_exec_t)
+
+	dontaudit $2 $1_userhelper_t:process signal;
+	
+	kernel_read_all_sysctl($1_userhelper_t)
+	kernel_getattr_debugfs($1_userhelper_t)
+	kernel_read_system_state($1_userhelper_t)
+
+	# Execute shells
+	corecmd_exec_shell($1_userhelper_t)
+	# By default, revert to the calling domain when a program is executed
+	corecmd_bin_domtrans($1_userhelper_t,$2)
+	corecmd_sbin_domtrans($1_userhelper_t,$2)
+
+	# Inherit descriptors from the current session.
+	domain_use_wide_inherit_fd($1_userhelper_t)
+	# for when the user types "exec userhelper" at the command line
+	domain_sigchld_wide_inherit_fd($1_userhelper_t)
+
+	dev_read_urand($1_userhelper_t)
+	# Read /dev directories and any symbolic links.
+	dev_list_all_dev_nodes($1_userhelper_t)
+
+	files_list_var_lib($1_userhelper_t)
+	# Write to utmp.
+	files_filetrans_pid($1_userhelper_t,initrc_var_run_t)
+	# Read the /etc/security/default_type file
+	files_read_etc_files($1_userhelper_t)
+	# Read /var.
+	files_read_var_files($1_userhelper_t)
+	files_read_var_symlink($1_userhelper_t)
+	# for some PAM modules and for cwd
+	files_search_home($1_userhelper_t)
+
+	fs_search_auto_mountpoints($1_userhelper_t)
+	fs_read_nfs_files($1_userhelper_t)
+	fs_read_nfs_symlinks($1_userhelper_t)
+
+	# Allow $1_userhelper to obtain contexts to relabel TTYs
+	selinux_get_fs_mount($1_userhelper_t)
+	selinux_validate_context($1_userhelper_t)
+	selinux_compute_access_vector($1_userhelper_t)
+	selinux_compute_create_context($1_userhelper_t)
+	selinux_compute_relabel_context($1_userhelper_t)
+	selinux_compute_user_contexts($1_userhelper_t)
+
+	# Read the devpts root directory.
+	term_list_ptys($1_userhelper_t)
+	# Relabel terminals.
+	term_relabel_all_user_ttys($1_userhelper_t)
+	term_relabel_all_user_ptys($1_userhelper_t)
+	# Access terminals.
+	term_use_all_user_ttys($1_userhelper_t)
+	term_use_all_user_ptys($1_userhelper_t)
+
+	auth_domtrans_chk_passwd($1_userhelper_t)
+	auth_manage_pam_pid($1_userhelper_t)
+	auth_manage_var_auth($1_userhelper_t)
+	auth_search_pam_console_data($1_userhelper_t)
+
+	# Inherit descriptors from the current session.
+	init_use_fd($1_userhelper_t)
+	# Write to utmp.
+	init_manage_utmp($1_userhelper_t)
+
+	libs_use_ld_so($1_userhelper_t)
+	libs_use_shared_libs($1_userhelper_t)
+
+	miscfiles_read_localization($1_userhelper_t)
+
+	seutil_read_config($1_userhelper_t)
+	seutil_read_default_contexts($1_userhelper_t)
+
+	userdom_use_unpriv_users_fd($1_userhelper_t)
+	# Allow $1_userhelper_t to transition to user domains.
+	userdom_bin_spec_domtrans_unpriv_users($1_userhelper_t)
+	userdom_sbin_spec_domtrans_unpriv_users($1_userhelper_t)
+	userdom_entry_spec_domtrans_unpriv_users($1_userhelper_t)
+
+	ifdef(`distro_redhat',`
+		optional_policy(`rpm',`
+			# Allow transitioning to rpm_t, for up2date
+			rpm_domtrans($1_userhelper_t)
+		')
+	')
+
+	tunable_policy(`! secure_mode',`
+		#if we are not in secure mode then we can transition to sysadm_t
+		userdom_bin_spec_domtrans_sysadm($1_userhelper_t)
+		userdom_sbin_spec_domtrans_sysadm($1_userhelper_t)
+		userdom_entry_spec_domtrans_sysadm($1_userhelper_t)
+	')
+	
+
+	optional_policy(`logging',`
+		logging_send_syslog_msg($1_userhelper_t)
+	')
+
+	optional_policy(`nis',`
+		nis_use_ypbind($1_userhelper_t)
+	')
+
+	optional_policy(`nscd',`
+		nscd_use_socket($1_userhelper_t)
+	')
+
+	ifdef(`TODO',`
+		allow $1_userhelper_t xdm_t:fd use;
+		allow $1_userhelper_t xdm_var_run_t:dir search;
+		allow $1_userhelper_t xdm_t:fifo_file { getattr read write ioctl };
+
+		optional_policy(`gnome-pty-helper.te',`
+			allow $1_userhelper_t gphdomain:fd use;
+		')
+		optional_policy(`xauth', `
+			domain_auto_trans($1_userhelper_t, xauth_exec_t, $1_xauth_t)
+			allow $1_userhelper_t $1_xauth_home_t:file { getattr read };
+		')
+		optional_policy(`mozilla', `
+			domain_auto_trans($1_mozilla_t, userhelper_exec_t, $1_userhelper_t)
+		')
+		# for when the network connection is killed
+		dontaudit unpriv_userdomain $1_userhelper_t:process signal;
+	')
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search userhelp configuration
+## </summary>
+## <param name="domain">
+##      The type of the process performing this action.
+## </param>
+#
+interface(`userhelper_dontaudit_search_config',`
+	gen_require(`
+		type userhelper_conf_t;
+	')
+
+	dontaudit $1 userhelper_conf_t:dir search;
+')
diff --git a/refpolicy/policy/modules/apps/userhelper.te b/refpolicy/policy/modules/apps/userhelper.te
new file mode 100644
index 0000000..22cae2e
--- /dev/null
+++ b/refpolicy/policy/modules/apps/userhelper.te
@@ -0,0 +1,13 @@
+
+policy_module(userhelper,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type userhelper_conf_t;
+files_type(userhelper_conf_t)
+
+type userhelper_exec_t;
+files_type(userhelper_conf_t)
diff --git a/refpolicy/policy/modules/kernel/corecommands.if b/refpolicy/policy/modules/kernel/corecommands.if
index f6f09fe..8e9100a 100644
--- a/refpolicy/policy/modules/kernel/corecommands.if
+++ b/refpolicy/policy/modules/kernel/corecommands.if
@@ -242,7 +242,9 @@ interface(`corecmd_mmap_bin_files',`
 ########################################
 ## <summary>
 ##	Execute a file in a bin directory
-##	in the specified domain.
+##	in the specified domain but do not
+##	do it automatically. This is an explicit
+##	transition, requiring the caller to use setexeccon().
 ## </summary>
 ## <desc>
 ##	<p>
@@ -259,7 +261,7 @@ interface(`corecmd_mmap_bin_files',`
 ##	</p>
 ##	<p>
 ##	This interface was added to handle
-##	the ssh-agent policy.
+##	the userhelper policy.
 ##	</p>
 ## </desc>
 ## <param name="domain">
@@ -269,17 +271,54 @@ interface(`corecmd_mmap_bin_files',`
 ##	The type of the new process.
 ## </param>
 #
-interface(`corecmd_bin_domtrans',`
+interface(`corecmd_bin_spec_domtrans',`
 	gen_require(`
 		type bin_t;
-		class dir search;
-		class lnk_file { getattr read };
 	')
 
 	allow $1 bin_t:dir search;
 	allow $1 bin_t:lnk_file { getattr read };
 
-	domain_auto_trans($1,bin_t,$2)
+	domain_trans($1,bin_t,$2)
+')
+
+########################################
+## <summary>
+##      Execute a file in a bin directory
+##      in the specified domain.
+## </summary>
+## <desc>
+##      <p>
+##      Execute a file in a bin directory
+##      in the specified domain.  This allows
+##      the specified domain to execute any file
+##      on these filesystems in the specified
+##      domain.  This is not suggested.
+##      </p>
+##      <p>
+##      No interprocess communication (signals, pipes,
+##      etc.) is provided by this interface since
+##      the domains are not owned by this module.
+##      </p>
+##      <p>
+##      This interface was added to handle
+##      the ssh-agent policy.
+##      </p>
+## </desc>
+## <param name="domain">
+##      Domain allowed access.
+## </param>
+## <param name="target_domain">
+##      The type of the new process.
+## </param>
+#
+interface(`corecmd_bin_domtrans',`
+	gen_require(`
+		type bin_t;
+	')
+
+	corecmd_bin_spec_domtrans($1,$2)
+	type_transition $1 bin_t:process $2;
 ')
 
 ########################################
@@ -541,6 +580,49 @@ interface(`corecmd_sbin_domtrans',`
 
 ########################################
 ## <summary>
+##	Execute a file in a sbin directory
+##	in the specified domain but do not
+##	do it automatically. This is an explicit
+##	transition, requiring the caller to use setexeccon().
+## </summary>
+## <desc>
+##	<p>
+##	Execute a file in a sbin directory
+##	in the specified domain.  This allows
+##	the specified domain to execute any file
+##	on these filesystems in the specified
+##	domain.  This is not suggested.
+##	</p>
+##	<p>
+##	No interprocess communication (signals, pipes,
+##	etc.) is provided by this interface since
+##	the domains are not owned by this module.
+##	</p>
+##	<p>
+##	This interface was added to handle
+##	the userhelper policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+## <param name="target_domain">
+##	The type of the new process.
+## </param>
+#
+interface(`corecmd_sbin_spec_domtrans',`
+	gen_require(`
+		type sbin_t;
+	')
+
+	allow $1 sbin_t:dir search;
+	allow $1 sbin_t:lnk_file { getattr read };
+
+	domain_trans($1,sbin_t,$2)
+')
+
+########################################
+## <summary>
 ##	Check if a shell is executable (DAC-wise).
 ## </summary>
 ## <param name="domain">
@@ -564,8 +646,6 @@ interface(`corecmd_check_exec_shell',`
 interface(`corecmd_exec_shell',`
 	gen_require(`
 		type bin_t, shell_exec_t;
-		class dir r_dir_perms;
-		class lnk_file r_file_perms;
 	')
 
 	allow $1 bin_t:dir r_dir_perms;
@@ -580,8 +660,6 @@ interface(`corecmd_exec_shell',`
 interface(`corecmd_exec_ls',`
 	gen_require(`
 		type bin_t, ls_exec_t;
-		class dir r_dir_perms;
-		class lnk_file r_file_perms;
 	')
 
 	allow $1 bin_t:dir r_dir_perms;
@@ -617,8 +695,6 @@ interface(`corecmd_exec_ls',`
 interface(`corecmd_shell_spec_domtrans',`
 	gen_require(`
 		type bin_t, shell_exec_t;
-		class dir r_dir_perms;
-		class lnk_file r_file_perms;
 	')
 
 	allow $1 bin_t:dir r_dir_perms;
diff --git a/refpolicy/policy/modules/kernel/domain.if b/refpolicy/policy/modules/kernel/domain.if
index d02815b..db68ba8 100644
--- a/refpolicy/policy/modules/kernel/domain.if
+++ b/refpolicy/policy/modules/kernel/domain.if
@@ -1074,6 +1074,23 @@ interface(`domain_mmap_all_entry_files',`
 
 ########################################
 ## <summary>
+##      Execute an entry_type in the specified domain.
+## </summary>
+## <param name="domain">
+##      The type of the process performing this action.
+## </param>
+#
+# cjp: added for userhelper
+interface(`domain_entry_spec_domtrans',`
+	gen_require(`
+		attribute entry_type;
+	')
+
+	domain_trans($1,entry_type,$2)
+')
+
+########################################
+## <summary>
 ##	Unconfined access to domains.
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/services/xdm.te b/refpolicy/policy/modules/services/xdm.te
index b27ecd5..91f46de 100644
--- a/refpolicy/policy/modules/services/xdm.te
+++ b/refpolicy/policy/modules/services/xdm.te
@@ -1,5 +1,5 @@
 
-policy_module(xdm,1.1.0)
+policy_module(xdm,1.1.1)
 
 ########################################
 #
@@ -102,6 +102,10 @@ optional_policy(`locallogin',`
 	locallogin_signull(xdm_t)
 ')
 
+optional_policy(`userhelper',`
+	userhelper_dontaudit_search_config(xdm_t)
+')
+
 ifdef(`TODO',`
 # cjp: TODO: integrate strict policy:
 daemon_domain(xdm, `, privuser, privrole, auth_chkpwd, privowner, privmem, nscd_client_domain')
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index fca8333..21032db 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -586,6 +586,26 @@ interface(`auth_exec_pam',`
 	can_exec($1,pam_exec_t)
 ')
 
+########################################
+## <summary>
+##	Manage var auth files. Used by various other applications
+##	and pam applets etc.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`auth_manage_var_auth',`
+	gen_require(`
+		type var_auth_t;
+	')
+
+	files_search_var($1)
+	allow $1 var_auth_t:dir create_dir_perms;
+	allow $1 var_auth_t:file rw_file_perms;
+	allow $1 var_auth_t:lnk_file rw_file_perms;
+')
+
 #######################################
 #
 # auth_read_pam_pid(domain)
@@ -638,6 +658,24 @@ interface(`auth_delete_pam_pid',`
 	allow $1 pam_var_run_t:file { getattr unlink };
 ')
 
+########################################
+## <summary>
+##	Manage pam PID files.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`auth_manage_pam_pid',`
+	gen_require(`
+		type pam_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 pam_var_run_t:dir create_dir_perms;
+	allow $1 pam_var_run_t:file create_file_perms;
+')
+
 #######################################
 #
 # auth_domtrans_pam_console(domain)
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index ebd5801..fe34c0b 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -873,3 +873,19 @@ interface(`init_dontaudit_rw_script_pid',`
 	dontaudit $1 initrc_var_run_t:file { getattr read write append };
 ')
 
+########################################
+## <summary>
+##      Manage init files like utmp.
+## </summary>
+## <param name="domain">
+##      Domain access allowed.
+## </param>
+#
+interface(`init_manage_utmp',`
+	gen_require(`
+		type initrc_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 initrc_var_run_t:file create_file_perms;
+')
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index e8fc6ce..3109ce5 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -2390,6 +2390,75 @@ interface(`userdom_manage_unpriv_user_shared_mem',`
 
 ########################################
 ## <summary>
+##	Execute bin_t in the unprivileged user domains. This
+##	is an explicit transition, requiring the
+##	caller to use setexeccon().
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`userdom_bin_spec_domtrans_unpriv_users',`
+	gen_require(`
+		attribute unpriv_userdomain;
+	')
+
+	corecmd_bin_spec_domtrans($1,unpriv_userdomain)
+
+	allow $1 unpriv_userdomain:fd use;
+	allow unpriv_userdomain $1:fd use;
+	allow unpriv_userdomain $1:fifo_file rw_file_perms;
+	allow unpriv_userdomain $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute generic sbin programs in all unprivileged user
+##	domains. This is an explicit transition, requiring the
+##	caller to use setexeccon().
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`userdom_sbin_spec_domtrans_unpriv_users',`
+	gen_require(`
+		attribute unpriv_userdomain;
+	')
+
+	corecmd_sbin_spec_domtrans($1,unpriv_userdomain)
+	
+	allow $1 unpriv_userdomain:fd use;
+	allow unpriv_userdomain $1:fd use;
+	allow unpriv_userdomain $1:fifo_file rw_file_perms;
+	allow unpriv_userdomain $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute all entrypoint files in unprivileged user
+##	domains. This is an explicit transition, requiring the
+##	caller to use setexeccon().
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`userdom_entry_spec_domtrans_unpriv_users',`
+	gen_require(`
+		attribute unpriv_userdomain;
+	')
+
+	domain_entry_spec_domtrans($1,unpriv_userdomain)
+
+	allow $1 unpriv_userdomain:fd use;
+	allow unpriv_userdomain $1:fd use;
+	allow unpriv_userdomain $1:fifo_file rw_file_perms;
+	allow unpriv_userdomain $1:process sigchld;
+')
+
+########################################
+## <summary>
 ##	Execute a shell in the sysadm domain.
 ## </summary>
 ## <param name="domain">
@@ -2416,6 +2485,71 @@ interface(`userdom_shell_domtrans_sysadm',`
 
 ########################################
 ## <summary>
+##	Execute a generic bin program in the sysadm domain.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`userdom_bin_spec_domtrans_sysadm',`
+	gen_require(`
+		type sysadm_t;
+	')
+
+	corecmd_bin_spec_domtrans($1,sysadm_t)
+
+	allow $1 sysadm_t:fd use;
+	allow sysadm_t $1:fd use;
+	allow sysadm_t $1:fifo_file rw_file_perms;
+	allow sysadm_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute a generic sbin program in the sysadm domain.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`userdom_sbin_spec_domtrans_sysadm',`
+	gen_require(`
+		type sysadm_t;
+	')
+
+	corecmd_sbin_spec_domtrans($1,sysadm_t)
+
+	allow $1 sysadm_t:fd use;
+	allow sysadm_t $1:fd use;
+	allow sysadm_t $1:fifo_file rw_file_perms;
+	allow sysadm_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute all entrypoint files in the sysadm domain. This
+##	is an explicit transition, requiring the
+##	caller to use setexeccon().
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`userdom_entry_spec_domtrans_sysadm',`
+	gen_require(`
+		type sysadm_t;
+	')
+
+	domain_entry_spec_domtrans($1,sysadm_t)
+
+	allow $1 sysadm_t:fd use;
+	allow sysadm_t $1:fd use;
+	allow sysadm_t $1:fifo_file rw_file_perms;
+	allow sysadm_t $1:process sigchld;
+')
+
+########################################
+## <summary>
 ##	Search the staff users home directory.
 ## </summary>
 ## <param name="domain">

More information about the scm-commits mailing list