policy/modules/admin/firstboot.if

   1 ## <summary>
   2 ##      Final system configuration run during the first boot
   3 ##      after installation of Red Hat/Fedora systems.
   4 ## </summary>
   5
   6 ########################################
   7 ## <summary>
   8 ##      Execute firstboot in the firstboot domain.
   9 ## </summary>
  10 ## <param name="domain">
  11 ##      <summary>
  12 ##      The type of the process performing this action.
  13 ##      </summary>
  14 ## </param>
  15 #
  16 interface(`firstboot_domtrans',`
  17         gen_require(`
  18                 type firstboot_t, firstboot_exec_t;
  19         ')
  20
  21         domain_auto_trans($1,firstboot_exec_t,firstboot_t)
  22
  23         allow $1 firstboot_t:fd use;
  24         allow firstboot_t $1:fd use;
  25         allow firstboot_t $1:fifo_file rw_file_perms;
  26         allow firstboot_t $1:process sigchld;
  27 ')
  28
  29 ########################################
  30 ## <summary>
  31 ##      Execute firstboot in the firstboot domain, and
  32 ##      allow the specified role the firstboot domain.
  33 ## </summary>
  34 ## <param name="domain">
  35 ##      <summary>
  36 ##      The type of the process performing this action.
  37 ##      </summary>
  38 ## </param>
  39 ## <param name="role">
  40 ##      <summary>
  41 ##      The role to be allowed the firstboot domain.
  42 ##      </summary>
  43 ## </param>
  44 ## <param name="terminal">
  45 ##      <summary>
  46 ##      The type of the terminal allow the firstboot domain to use.
  47 ##      </summary>
  48 ## </param>
  49 #
  50 interface(`firstboot_run',`
  51         gen_require(`
  52                 type firstboot_t;
  53         ')
  54
  55         firstboot_domtrans($1)
  56         role $2 types firstboot_t;
  57         allow firstboot_t $3:chr_file rw_term_perms;
  58 ')
  59
  60 ########################################
  61 ## <summary>
  62 ##      Inherit and use a file descriptor from firstboot.
  63 ## </summary>
  64 ## <param name="domain">
  65 ##      <summary>
  66 ##      The type of the process performing this action.
  67 ##      </summary>
  68 ## </param>
  69 #
  70 interface(`firstboot_use_fds',`
  71         gen_require(`
  72                 type firstboot_t;
  73         ')
  74
  75         allow $1 firstboot_t:fd use;
  76 ')
  77
  78 ########################################
  79 ## <summary>
  80 ##      Do not audit attempts to inherit a
  81 ##      file descriptor from firstboot.
  82 ## </summary>
  83 ## <param name="domain">
  84 ##      <summary>
  85 ##      Domain to not audit.
  86 ##      </summary>
  87 ## </param>
  88 #
  89 interface(`firstboot_dontaudit_use_fds',`
  90         gen_require(`
  91                 type firstboot_t;
  92         ')
  93
  94         dontaudit $1 firstboot_t:fd use;
  95 ')
  96
  97 ########################################
  98 ## <summary>
  99 ##      Write to a firstboot unnamed pipe.
 100 ## </summary>
 101 ## <param name="domain">
 102 ##      <summary>
 103 ##      The type of the process performing this action.
 104 ##      </summary>
 105 ## </param>
 106 #
 107 interface(`firstboot_write_pipes',`
 108         gen_require(`
 109                 type firstboot_t;
 110         ')
 111
 112         allow $1 firstboot_t:fifo_file write;
 113 ')