Chris PeBenito 0fbfa5
#DESC firstboot
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Author:  Dan Walsh <dwalsh@redhat.com>
Chris PeBenito 0fbfa5
# X-Debian-Packages: firstboot
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#################################
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Rules for the firstboot_t domain.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# firstboot_exec_t is the type of the firstboot executable.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
application_domain(firstboot,`, admin, etc_writer, fs_domain, privmem, auth_write, privlog, privowner, privmodule, sysctl_kernel_writer')
Chris PeBenito 0fbfa5
type firstboot_rw_t, file_type, sysadmfile;
Chris PeBenito 0fbfa5
role system_r types firstboot_t;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`xserver.te', `
Chris PeBenito 0fbfa5
domain_auto_trans(firstboot_t, xserver_exec_t, xdm_xserver_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
etc_domain(firstboot)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow firstboot_t proc_t:file r_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow firstboot_t urandom_device_t:chr_file { getattr read };
Chris PeBenito 0fbfa5
allow firstboot_t proc_t:file { getattr read write };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
domain_auto_trans(initrc_t, firstboot_exec_t, firstboot_t)
Chris PeBenito 0fbfa5
file_type_auto_trans(firstboot_t, etc_t, firstboot_rw_t, file)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
can_exec_any(firstboot_t)
Chris PeBenito 0fbfa5
domain_auto_trans(firstboot_t, useradd_exec_t, useradd_t)
Chris PeBenito 0fbfa5
domain_auto_trans(firstboot_t, groupadd_exec_t, groupadd_t)
Chris PeBenito 0fbfa5
allow firstboot_t etc_runtime_t:file { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
r_dir_file(firstboot_t, etc_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow firstboot_t firstboot_rw_t:dir create_dir_perms;
Chris PeBenito 0fbfa5
allow firstboot_t firstboot_rw_t:file create_file_perms;
Chris PeBenito 0fbfa5
allow firstboot_t self:fifo_file { getattr read write };
Chris PeBenito 0fbfa5
allow firstboot_t self:process { fork sigchld };
Chris PeBenito 0fbfa5
allow firstboot_t self:unix_stream_socket { connect create };
Chris PeBenito 0fbfa5
allow firstboot_t initrc_exec_t:file { getattr read };
Chris PeBenito 0fbfa5
allow firstboot_t initrc_var_run_t:file r_file_perms;
Chris PeBenito 0fbfa5
allow firstboot_t lib_t:file { getattr read };
Chris PeBenito 0fbfa5
allow firstboot_t local_login_t:fd use;
Chris PeBenito 0fbfa5
read_locale(firstboot_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow firstboot_t proc_t:dir search;
Chris PeBenito 0fbfa5
allow firstboot_t { devtty_t sysadm_tty_device_t }:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
allow firstboot_t usr_t:file r_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow firstboot_t etc_t:file write;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Allow write to utmp file
Chris PeBenito 0fbfa5
allow firstboot_t initrc_var_run_t:file write;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow firstboot_t krb5_conf_t:file { getattr read };
Chris PeBenito 0fbfa5
allow firstboot_t net_conf_t:file { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`samba.te', `
Chris PeBenito 0fbfa5
rw_dir_file(firstboot_t, samba_etc_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
dontaudit firstboot_t shadow_t:file getattr;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
role system_r types initrc_t;
Chris PeBenito 0fbfa5
#role_transition firstboot_r initrc_exec_t system_r;
Chris PeBenito 0fbfa5
domain_auto_trans(firstboot_t, initrc_exec_t, initrc_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow firstboot_t self:passwd rootok;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`userhelper.te', `
Chris PeBenito 0fbfa5
role system_r types sysadm_userhelper_t;
Chris PeBenito 0fbfa5
domain_auto_trans(firstboot_t, userhelper_exec_t, sysadm_userhelper_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`consoletype.te', `
Chris PeBenito 0fbfa5
allow consoletype_t devtty_t:chr_file { read write };
Chris PeBenito 0fbfa5
allow consoletype_t etc_t:file { getattr read };
Chris PeBenito 0fbfa5
allow consoletype_t firstboot_t:fd use;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow firstboot_t etc_t:{ file lnk_file } create_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow firstboot_t self:capability { dac_override setgid };
Chris PeBenito 0fbfa5
allow firstboot_t self:dir search;
Chris PeBenito 0fbfa5
allow firstboot_t self:file { read write };
Chris PeBenito 0fbfa5
allow firstboot_t self:lnk_file read;
Chris PeBenito 0fbfa5
can_setfscreate(firstboot_t)
Chris PeBenito 0fbfa5
allow firstboot_t krb5_conf_t:file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow firstboot_t modules_conf_t:file { getattr read };
Chris PeBenito 0fbfa5
allow firstboot_t modules_dep_t:file { getattr read };
Chris PeBenito 0fbfa5
allow firstboot_t modules_object_t:dir search;
Chris PeBenito 0fbfa5
allow firstboot_t net_conf_t:file rw_file_perms;
Chris PeBenito 0fbfa5
allow firstboot_t netif_lo_t:netif { tcp_recv tcp_send };
Chris PeBenito 0fbfa5
allow firstboot_t node_t:node { tcp_recv tcp_send };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow firstboot_t port_t:tcp_socket { recv_msg send_msg };
Chris PeBenito 0fbfa5
allow firstboot_t proc_t:lnk_file read;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
can_getsecurity(firstboot_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
dontaudit firstboot_t sysadm_t:process { noatsecure rlimitinh siginh transition };
Chris PeBenito 0fbfa5
read_sysctl(firstboot_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow firstboot_t var_run_t:dir getattr;
Chris PeBenito 0fbfa5
allow firstboot_t var_t:dir getattr;
Chris PeBenito 0fbfa5
allow hostname_t devtty_t:chr_file { read write };
Chris PeBenito 0fbfa5
allow hostname_t firstboot_t:fd use;
Chris PeBenito 0fbfa5
ifdef(`iptables.te', `
Chris PeBenito 0fbfa5
allow iptables_t devtty_t:chr_file { read write };
Chris PeBenito 0fbfa5
allow iptables_t firstboot_t:fd use;
Chris PeBenito 0fbfa5
allow iptables_t firstboot_t:fifo_file write;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
can_network_server(firstboot_t)
Chris PeBenito 0fbfa5
can_ypbind(firstboot_t)
Chris PeBenito 0fbfa5
ifdef(`printconf.te', `
Chris PeBenito 0fbfa5
can_exec(firstboot_t, printconf_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
create_dir_file(firstboot_t, var_t)
Chris PeBenito 0fbfa5
# Add/remove user home directories
Chris PeBenito 0fbfa5
file_type_auto_trans(firstboot_t, home_root_t, user_home_dir_t, dir)
Chris PeBenito 0fbfa5
file_type_auto_trans(firstboot_t, user_home_dir_t, user_home_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# The big hammer
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
unconfined_domain(firstboot_t) 
Chris PeBenito 0fbfa5