policy/modules/admin/firstboot.te

   1
   2 policy_module(firstboot, 1.9.0)
   3
   4 gen_require(`
   5         class passwd rootok;
   6 ')
   7
   8 ########################################
   9 #
  10 # Declarations
  11 #
  12
  13 type firstboot_t;
  14 type firstboot_exec_t;
  15 init_system_domain(firstboot_t, firstboot_exec_t)
  16 domain_obj_id_change_exemption(firstboot_t)
  17 domain_subj_id_change_exemption(firstboot_t)
  18 role system_r types firstboot_t;
  19
  20 type firstboot_etc_t;
  21 files_config_file(firstboot_etc_t)
  22
  23 ########################################
  24 #
  25 # Local policy
  26 #
  27
  28 allow firstboot_t self:capability { dac_override setgid };
  29 allow firstboot_t self:process setfscreate;
  30 allow firstboot_t self:fifo_file rw_fifo_file_perms;
  31 allow firstboot_t self:tcp_socket create_stream_socket_perms;
  32 allow firstboot_t self:unix_stream_socket { connect create };
  33 allow firstboot_t self:passwd rootok;
  34
  35 allow firstboot_t firstboot_etc_t:file read_file_perms;
  36
  37 kernel_read_system_state(firstboot_t)
  38 kernel_read_kernel_sysctls(firstboot_t)
  39
  40 corenet_all_recvfrom_unlabeled(firstboot_t)
  41 corenet_all_recvfrom_netlabel(firstboot_t)
  42 corenet_tcp_sendrecv_all_if(firstboot_t)
  43 corenet_tcp_sendrecv_all_nodes(firstboot_t)
  44 corenet_tcp_sendrecv_all_ports(firstboot_t)
  45
  46 dev_read_urand(firstboot_t)
  47
  48 selinux_get_fs_mount(firstboot_t)
  49 selinux_validate_context(firstboot_t)
  50 selinux_compute_access_vector(firstboot_t)
  51 selinux_compute_create_context(firstboot_t)
  52 selinux_compute_relabel_context(firstboot_t)
  53 selinux_compute_user_contexts(firstboot_t)
  54
  55 auth_dontaudit_getattr_shadow(firstboot_t)
  56
  57 corecmd_exec_all_executables(firstboot_t)
  58
  59 files_exec_etc_files(firstboot_t)
  60 files_manage_etc_files(firstboot_t)
  61 files_manage_etc_runtime_files(firstboot_t)
  62 files_read_usr_files(firstboot_t)
  63 files_manage_var_dirs(firstboot_t)
  64 files_manage_var_files(firstboot_t)
  65 files_manage_var_symlinks(firstboot_t)
  66
  67 init_domtrans_script(firstboot_t)
  68 init_rw_utmp(firstboot_t)
  69
  70 libs_exec_ld_so(firstboot_t)
  71 libs_exec_lib_files(firstboot_t)
  72
  73 locallogin_use_fds(firstboot_t)
  74
  75 logging_send_syslog_msg(firstboot_t)
  76
  77 miscfiles_read_localization(firstboot_t)
  78
  79 modutils_domtrans_insmod(firstboot_t)
  80 modutils_read_module_config(firstboot_t)
  81 modutils_read_module_deps(firstboot_t)
  82
  83 userdom_use_user_terminals(firstboot_t)
  84 # Add/remove user home directories
  85 userdom_manage_user_home_content_dirs(firstboot_t)
  86 userdom_manage_user_home_content_files(firstboot_t)
  87 userdom_manage_user_home_content_symlinks(firstboot_t)
  88 userdom_manage_user_home_content_pipes(firstboot_t)
  89 userdom_manage_user_home_content_sockets(firstboot_t)
  90 userdom_home_filetrans_user_home_dir(firstboot_t)
  91 userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file })
  92
  93 optional_policy(`
  94         hal_dbus_chat(firstboot_t)
  95 ')
  96
  97 optional_policy(`
  98         nis_use_ypbind(firstboot_t)
  99 ')
 100
 101 optional_policy(`
 102         samba_rw_config(firstboot_t)
 103 ')
 104
 105 optional_policy(`
 106         unconfined_domtrans(firstboot_t)
 107         # The big hammer
 108         unconfined_domain(firstboot_t)
 109 ')
 110
 111 optional_policy(`
 112         usermanage_domtrans_chfn(firstboot_t)
 113         usermanage_domtrans_groupadd(firstboot_t)
 114         usermanage_domtrans_passwd(firstboot_t)
 115         usermanage_domtrans_useradd(firstboot_t)
 116         usermanage_domtrans_admin_passwd(firstboot_t)
 117 ')
 118
 119 optional_policy(`
 120         xserver_rw_shm(firstboot_t)
 121         xserver_unconfined(firstboot_t)
 122 ')