diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te
index c1ff4e9..1c751aa 100644
--- a/refpolicy/policy/modules/admin/consoletype.te
+++ b/refpolicy/policy/modules/admin/consoletype.te
@@ -67,6 +67,12 @@ optional_policy(`cron.te',`
cron_read_pipe(consoletype_t)
')
+optional_policy(`firstboot.te',`
+ files_read_etc_files(consoletype_t)
+ firstboot_use_fd(consoletype_t)
+ firstboot_write_pipe(consoletype_t)
+')
+
optional_policy(`logrotate.te',`
logrotate_dontaudit_use_fd(consoletype_t)
')
@@ -102,8 +108,4 @@ optional_policy(`lpd.te', `
allow consoletype_t printconf_t:file r_file_perms;
')
-optional_policy(`firstboot.te', `
-allow consoletype_t firstboot_t:fifo_file write;
-')
-
') dnl end TODO
diff --git a/refpolicy/policy/modules/admin/firstboot.fc b/refpolicy/policy/modules/admin/firstboot.fc
new file mode 100644
index 0000000..6d2e5f8
--- /dev/null
+++ b/refpolicy/policy/modules/admin/firstboot.fc
@@ -0,0 +1,5 @@
+# firstboot
+/usr/sbin/firstboot -- context_template(system_u:object_r:firstboot_exec_t,s0)
+
+/usr/share/firstboot context_template(system_u:object_r:firstboot_rw_t,s0)
+/usr/share/firstboot/firstboot\.py -- context_template(system_u:object_r:firstboot_exec_t,s0)
diff --git a/refpolicy/policy/modules/admin/firstboot.if b/refpolicy/policy/modules/admin/firstboot.if
new file mode 100644
index 0000000..13678e0
--- /dev/null
+++ b/refpolicy/policy/modules/admin/firstboot.if
@@ -0,0 +1,88 @@
+##
+## Final system configuration run during the first boot
+## after installation of Red Hat/Fedora systems.
+##
+
+########################################
+##
+## Execute firstboot in the firstboot domain.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`firstboot_domtrans',`
+ gen_require(`
+ type firstboot_t, firstboot_exec_t;
+ class process sigchld;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
+
+ domain_auto_trans($1,firstboot_exec_t,firstboot_t)
+
+ allow $1 firstboot_t:fd use;
+ allow firstboot_t $1:fd use;
+ allow firstboot_t $1:fifo_file rw_file_perms;
+ allow firstboot_t $1:process sigchld;
+')
+
+########################################
+##
+## Execute firstboot in the firstboot domain, and
+## allow the specified role the firstboot domain.
+##
+##
+## The type of the process performing this action.
+##
+##
+## The role to be allowed the firstboot domain.
+##
+##
+## The type of the terminal allow the firstboot domain to use.
+##
+#
+interface(`firstboot_run',`
+ gen_require(`
+ type firstboot_t;
+ class chr_file rw_term_perms;
+ ')
+
+ firstboot_domtrans($1)
+ role $2 types firstboot_t;
+ allow firstboot_t $3:chr_file rw_term_perms;
+')
+
+########################################
+##
+## Inherit and use a file descriptor from firstboot.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`firstboot_use_fd',`
+ gen_require(`
+ type firstboot_t;
+ class fd use;
+ ')
+
+ allow $1 firstboot_t:fd use;
+')
+
+########################################
+##
+## Write to a firstboot unnamed pipe.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`firstboot_write_pipe',`
+ gen_require(`
+ type firstboot_t;
+ class fifo_file write;
+ ')
+
+ allow $1 firstboot_t:fifo_file write;
+')
diff --git a/refpolicy/policy/modules/admin/firstboot.te b/refpolicy/policy/modules/admin/firstboot.te
new file mode 100644
index 0000000..aaf5090
--- /dev/null
+++ b/refpolicy/policy/modules/admin/firstboot.te
@@ -0,0 +1,136 @@
+
+policy_module(firstboot,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type firstboot_t;
+type firstboot_exec_t;
+init_system_domain(firstboot_t,firstboot_exec_t)
+domain_obj_id_change_exempt(firstboot_t)
+role system_r types firstboot_t;
+
+type firstboot_etc_t; #, usercanread;
+files_type(firstboot_etc_t)
+
+type firstboot_rw_t;
+files_type(firstboot_rw_t)
+
+########################################
+#
+# Local policy
+#
+
+allow firstboot_t self:capability { dac_override setgid };
+allow firstboot_t self:process setfscreate;
+allow firstboot_t self:file { read write };
+allow firstboot_t self:fifo_file { getattr read write };
+allow firstboot_t self:tcp_socket create_stream_socket_perms;
+allow firstboot_t self:unix_stream_socket { connect create };
+allow firstboot_t self:passwd rootok;
+
+allow firstboot_t firstboot_etc_t:file { getattr read };
+
+allow firstboot_t firstboot_rw_t:dir create_dir_perms;
+allow firstboot_t firstboot_rw_t:file create_file_perms;
+files_create_etc_config(firstboot_t,firstboot_rw_t,file)
+
+# The big hammer
+unconfined_domain_template(firstboot_t)
+
+kernel_read_system_state(firstboot_t)
+kernel_read_kernel_sysctl(firstboot_t)
+
+corenet_tcp_sendrecv_all_if(firstboot_t)
+corenet_raw_sendrecv_all_if(firstboot_t)
+corenet_tcp_sendrecv_all_nodes(firstboot_t)
+corenet_raw_sendrecv_all_nodes(firstboot_t)
+corenet_tcp_sendrecv_all_ports(firstboot_t)
+corenet_tcp_bind_all_nodes(firstboot_t)
+
+dev_read_urand(firstboot_t)
+
+selinux_get_fs_mount(firstboot_t)
+selinux_validate_context(firstboot_t)
+selinux_compute_access_vector(firstboot_t)
+selinux_compute_create_context(firstboot_t)
+selinux_compute_relabel_context(firstboot_t)
+selinux_compute_user_contexts(firstboot_t)
+
+auth_dontaudit_getattr_shadow(firstboot_t)
+
+corecmd_exec_bin(firstboot_t)
+corecmd_exec_sbin(firstboot_t)
+
+domain_exec_all_entry_files(firstboot_t)
+
+files_exec_etc_files(firstboot_t)
+files_manage_etc_files(firstboot_t)
+files_read_etc_runtime_files(firstboot_t)
+files_read_usr_files(firstboot_t)
+files_manage_var_dirs(firstboot_t)
+files_manage_var_files(firstboot_t)
+files_manage_var_symlinks(firstboot_t)
+
+init_read_script(firstboot_t)
+init_rw_script_pid(firstboot_t)
+
+libs_use_ld_so(firstboot_t)
+libs_use_shared_libs(firstboot_t)
+libs_exec_ld_so(firstboot_t)
+libs_exec_lib_files(firstboot_t)
+
+locallogin_use_fd(firstboot_t)
+
+logging_send_syslog_msg(firstboot_t)
+
+miscfiles_read_localization(firstboot_t)
+
+modutils_domtrans_insmod(firstboot_t)
+modutils_read_module_conf(firstboot_t)
+modutils_read_mods_deps(firstboot_t)
+
+sysnet_manage_config(firstboot_t)
+
+# Add/remove user home directories
+userdom_create_user_home_dir(firstboot_t)
+userdom_manage_user_home_dir(firstboot_t)
+userdom_create_user_home(firstboot_t,{ dir file lnk_file fifo_file sock_file })
+userdom_manage_user_home_dirs(firstboot_t)
+userdom_manage_user_home_files(firstboot_t)
+userdom_manage_user_home_symlinks(firstboot_t)
+userdom_manage_user_home_pipes(firstboot_t)
+userdom_manage_user_home_sockets(firstboot_t)
+usermanage_domtrans_useradd(firstboot_t)
+usermanage_domtrans_groupadd(firstboot_t)
+
+optional_policy(`kerberos.te',`
+ kerberos_rw_config(firstboot_t)
+')
+
+optional_policy(`nis.te',`
+ nis_use_ypbind(firstboot_t)
+')
+
+ifdef(`TODO',`
+allow firstboot_t proc_t:file write;
+
+ifdef(`printconf.te', `
+ can_exec(firstboot_t, printconf_t)
+')
+
+ifdef(`samba.te', `
+ rw_dir_file(firstboot_t, samba_etc_t)
+')
+
+ifdef(`userhelper.te', `
+ role system_r types sysadm_userhelper_t;
+ domain_auto_trans(firstboot_t, userhelper_exec_t, sysadm_userhelper_t)
+')
+
+ifdef(`xserver.te', `
+ domain_auto_trans(firstboot_t, xserver_exec_t, xdm_xserver_t)
+')
+') dnl end TODO
diff --git a/refpolicy/policy/modules/services/kerberos.if b/refpolicy/policy/modules/services/kerberos.if
index a2a76fe..499c7b1 100644
--- a/refpolicy/policy/modules/services/kerberos.if
+++ b/refpolicy/policy/modules/services/kerberos.if
@@ -68,7 +68,7 @@ interface(`kerberos_use',`
## Domain allowed access.
##
#
-interface(`kerberos_read_conf',`
+interface(`kerberos_read_config',`
gen_require(`
type krb5_conf_t;
class files r_file_perms;
@@ -77,3 +77,21 @@ interface(`kerberos_read_conf',`
files_search_etc($1)
allow $1 krb5_conf_t:file r_file_perms;
')
+
+########################################
+##
+## Read and write the kerberos configuration file (/etc/krb5.conf).
+##
+##
+## Domain allowed access.
+##
+#
+interface(`kerberos_rw_config',`
+ gen_require(`
+ type krb5_conf_t;
+ class files rw_file_perms;
+ ')
+
+ files_search_etc($1)
+ allow $1 krb5_conf_t:file rw_file_perms;
+')
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index 6acc26c..980b8e3 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -546,12 +546,6 @@ interface(`files_create_root',`
gen_require(`
type root_t;
class dir create_dir_perms;
- class file create_file_perms;
- class lnk_file create_lnk_perms;
- class fifo_file create_file_perms;
- class sock_file create_file_perms;
- class blk_file create_file_perms;
- class chr_file create_file_perms;
')
allow $1 root_t:dir rw_dir_perms;
@@ -1694,6 +1688,24 @@ interface(`files_dontaudit_search_var',`
########################################
##
+## Create, read, write, and delete directories
+## in the /var directory.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`files_manage_var_dirs',`
+ gen_require(`
+ type var_t;
+ class dir create_dir_perms;
+ ')
+
+ allow $1 var_t:dir create_dir_perms;
+')
+
+########################################
+##
## Read files in the /var directory.
##
##
@@ -1713,6 +1725,25 @@ interface(`files_read_var_files',`
########################################
##
+## Create, read, write, and delete files in the /var directory.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`files_manage_var_files',`
+ gen_require(`
+ type var_t;
+ class dir rw_dir_perms;
+ class file create_file_perms;
+ ')
+
+ allow $1 var_t:dir rw_dir_perms;
+ allow $1 var_t:file create_file_perms;
+')
+
+########################################
+##
## Read symbolic links in the /var directory.
##
##
@@ -1732,6 +1763,26 @@ interface(`files_read_var_symlink',`
########################################
##
+## Create, read, write, and delete symbolic
+## links in the /var directory.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`files_manage_var_symlinks',`
+ gen_require(`
+ type var_t;
+ class dir rw_dir_perms;
+ class lnk_file create_lnk_perms;
+ ')
+
+ allow $1 var_t:dir rw_dir_perms;
+ allow $1 var_t:lnk_file create_lnk_perms;
+')
+
+########################################
+##
## Get the attributes of the /var/lib directory.
##
##
diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te
index a96f5fa..73db9df 100644
--- a/refpolicy/policy/modules/system/hostname.te
+++ b/refpolicy/policy/modules/system/hostname.te
@@ -78,6 +78,10 @@ tunable_policy(`use_dns',`
sysnet_read_config(hostname_t)
')
+optional_policy(`firstboot.te',`
+ firstboot_use_fd(hostname_t)
+')
+
optional_policy(`hotplug.te',`
hotplug_dontaudit_use_fd(hostname_t)
')
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index d93fdc3..9543b93 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -301,6 +301,13 @@ interface(`init_domtrans_script',`
##
## Start and stop daemon programs directly.
##
+##
+##
+## Start and stop daemon programs directly
+## in the traditional "/etc/init.d/daemon start"
+## style, and do not require run_init.
+##
+##
##
## The type of the process performing this action.
##
@@ -324,6 +331,24 @@ interface(`init_run_daemon',`
')
########################################
+##
+## Read init scripts.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`init_read_script',`
+ gen_require(`
+ type initrc_exec_t;
+ class file { getattr read };
+ ')
+
+ files_list_etc($1)
+ allow $1 initrc_exec_t:file { getattr read };
+')
+
+########################################
#
# init_exec_script(domain)
#
@@ -440,8 +465,21 @@ interface(`init_udp_sendto_script',`
')
########################################
-#
-# init_use_script_pty(domain)
+##
+## Read and write the init script pty.
+##
+##
+##
+## Read and write the init script pty. This
+## pty is generally opened by the open_init_pty
+## portion of the run_init program so that the
+## daemon does not require direct access to
+## the administrator terminal.
+##
+##
+##
+## The type of the process performing this action.
+##
#
interface(`init_use_script_pty',`
gen_require(`
@@ -454,6 +492,24 @@ interface(`init_use_script_pty',`
')
########################################
+##
+## Read init scripts.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`init_read_script_file',`
+ gen_require(`
+ type initrc_exec_t;
+ class file r_file_perms;
+ ')
+
+ files_search_etc($1)
+ allow $1 initrc_exec_t:file r_file_perms;
+')
+
+########################################
#
# init_dontaudit_use_script_pty(domain)
#
diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te
index 8b0620e..509ba51 100644
--- a/refpolicy/policy/modules/system/iptables.te
+++ b/refpolicy/policy/modules/system/iptables.te
@@ -92,6 +92,11 @@ tunable_policy(`use_dns',`
sysnet_read_config(iptables_t)
')
+optional_policy(`firstboot.te',`
+ firstboot_use_fd(iptables_t)
+ firstboot_write_pipe(iptables_t)
+')
+
optional_policy(`modutils.te', `
corecmd_search_sbin(iptables_t)
modutils_domtrans_insmod(iptables_t)
@@ -118,8 +123,4 @@ rhgb_domain(iptables_t)
optional_policy(`gnome-pty-helper.te',`
allow iptables_t sysadm_gph_t:fd use;
')
-
-optional_policy(`firstboot.te', `
- allow iptables_t firstboot_t:fifo_file write;
-')
') dnl ifdef TODO
diff --git a/refpolicy/policy/modules/system/pcmcia.te b/refpolicy/policy/modules/system/pcmcia.te
index 28ac24a..133694a 100644
--- a/refpolicy/policy/modules/system/pcmcia.te
+++ b/refpolicy/policy/modules/system/pcmcia.te
@@ -104,6 +104,7 @@ miscfiles_read_localization(cardmgr_t)
sysnet_domtrans_ifconfig(cardmgr_t)
# for /etc/resolv.conf
+sysnet_create_config(cardmgr_t)
sysnet_manage_config(cardmgr_t)
userdom_dontaudit_use_unpriv_user_fd(cardmgr_t)
diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if
index fc7109b..7373da2 100644
--- a/refpolicy/policy/modules/system/sysnetwork.if
+++ b/refpolicy/policy/modules/system/sysnetwork.if
@@ -165,6 +165,24 @@ interface(`sysnet_read_config',`
#######################################
##
+## Create files in /etc with the type used for
+## the network config files.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`sysnet_create_config',`
+ gen_require(`
+ type net_conf_t;
+ class file create_file_perms;
+ ')
+
+ files_create_etc_config($1,net_conf_t,file)
+')
+
+#######################################
+##
## Create, read, write, and delete network config files.
##
##
@@ -177,8 +195,7 @@ interface(`sysnet_manage_config',`
class file create_file_perms;
')
- allow $1 net_conf_t:file r_file_perms;
- files_create_etc_config($1,net_conf_t,file)
+ allow $1 net_conf_t:file create_file_perms;
')
#######################################
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index d3809ef..a7342bd 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -1250,105 +1250,232 @@ interface(`userdom_read_all_user_files',`
########################################
##
-## Write all unprivileged users files in /tmp
+## Send general signals to unprivileged user domains.
##
##
## The type of the process performing this action.
##
#
-interface(`userdom_write_unpriv_user_tmp',`
+interface(`userdom_signal_unpriv_users',`
gen_require(`
- attribute user_tmpfile;
- class file { getattr write append };
+ attribute unpriv_userdomain;
+ class process signal;
')
- allow $1 user_tmpfile:file { getattr write append };
+ allow $1 unpriv_userdomain:process signal;
')
########################################
##
-## Inherit the file descriptors from all user domains
+## Inherit the file descriptors from unprivileged user domains.
##
##
## The type of the process performing this action.
##
#
-interface(`userdom_use_all_user_fd',`
+interface(`userdom_use_unpriv_users_fd',`
gen_require(`
- attribute userdomain;
+ attribute unpriv_userdomain;
class fd use;
')
- allow $1 userdomain:fd use;
+ allow $1 unpriv_userdomain:fd use;
')
########################################
##
-## Send general signals to all user domains.
+## Do not audit attempts to inherit the
+## file descriptors from all user domains.
##
##
## The type of the process performing this action.
##
#
-interface(`userdom_signal_all_users',`
+interface(`userdom_dontaudit_use_unpriv_user_fd',`
gen_require(`
- attribute userdomain;
- class process signal;
+ attribute unpriv_userdomain;
+ class fd use;
')
- allow $1 userdomain:process signal;
+ dontaudit $1 unpriv_userdomain:fd use;
')
########################################
##
-## Send general signals to unprivileged user domains.
+## Create generic user home directories
+## with automatic file type transition.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
-interface(`userdom_signal_unpriv_users',`
+interface(`userdom_create_user_home_dir',`
gen_require(`
- attribute unpriv_userdomain;
- class process signal;
+ type user_home_dir_t;
')
- allow $1 unpriv_userdomain:process signal;
+ files_create_home_dirs($1,user_home_dir_t)
')
########################################
##
-## Inherit the file descriptors from unprivileged user domains.
+## Create, read, write, and delete
+## generic user home directories.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
-interface(`userdom_use_unpriv_users_fd',`
+interface(`userdom_manage_user_home_dir',`
gen_require(`
- attribute unpriv_userdomain;
- class fd use;
+ type user_home_dir_t;
+ class dir create_dir_perms;
')
- allow $1 unpriv_userdomain:fd use;
+ allow $1 user_home_dir_t:dir create_dir_perms;
')
########################################
##
-## Do not audit attempts to inherit the
-## file descriptors from all user domains.
+## Create objects in generic user home directories
+## with automatic file type transition.
+##
+##
+## Domain allowed access.
+##
+##
+## The class of the object to be created.
+## If not specified, file is used.
+##
+#
+interface(`userdom_create_user_home',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ class dir rw_dir_perms;
+ ')
+
+ allow $1 etc_t:dir rw_dir_perms;
+ ifelse(`$2',`',`
+ type_transition $1 user_home_dir_t:file user_home_t;
+ ',`
+ type_transition $1 user_home_dir_t:$2 user_home_t;
+ ')
+')
+
+########################################
+##
+## Create, read, write, and delete
+## subdirectories of generic user
+## home directories.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`userdom_manage_user_home_dirs',`
+ gen_require(`
+ type user_home_t;
+ class dir create_dir_perms;
+ ')
+
+ allow $1 user_home_t:dir create_dir_perms;
+')
+
+########################################
+##
+## Create, read, write, and delete files
+## in generic user home directories.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`userdom_manage_user_home_files',`
+ gen_require(`
+ type user_home_t;
+ class dir rw_dir_perms;
+ class file create_file_perms;
+ ')
+
+ allow $1 user_home_t:dir rw_dir_perms;
+ allow $1 user_home_t:file create_file_perms;
+')
+
+########################################
+##
+## Create, read, write, and delete symbolic
+## links in generic user home directories.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`userdom_manage_user_home_symlinks',`
+ gen_require(`
+ type user_home_t;
+ class dir rw_dir_perms;
+ class lnk_file create_lnk_perms;
+ ')
+
+ allow $1 user_home_t:dir rw_dir_perms;
+ allow $1 user_home_t:lnk_file create_lnk_perms;
+')
+
+########################################
+##
+## Create, read, write, and delete named
+## pipes in generic user home directories.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`userdom_manage_user_home_pipes',`
+ gen_require(`
+ type user_home_t;
+ class dir rw_dir_perms;
+ class fifo_file create_file_perms;
+ ')
+
+ allow $1 user_home_t:dir rw_dir_perms;
+ allow $1 user_home_t:fifo_file create_file_perms;
+')
+
+########################################
+##
+## Create, read, write, and delete named
+## sockets in generic user home directories.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`userdom_manage_user_home_sockets',`
+ gen_require(`
+ type user_home_t;
+ class dir rw_dir_perms;
+ class sock_file create_file_perms;
+ ')
+
+ allow $1 user_home_t:dir rw_dir_perms;
+ allow $1 user_home_t:sock_file create_file_perms;
+')
+
+########################################
+##
+## Write all unprivileged users files in /tmp
##
##
## The type of the process performing this action.
##
#
-interface(`userdom_dontaudit_use_unpriv_user_fd',`
+interface(`userdom_write_unpriv_user_tmp',`
gen_require(`
- attribute unpriv_userdomain;
- class fd use;
+ attribute user_tmpfile;
+ class file { getattr write append };
')
- dontaudit $1 unpriv_userdomain:fd use;
+ allow $1 user_tmpfile:file { getattr write append };
')
########################################
@@ -1371,6 +1498,40 @@ interface(`userdom_dontaudit_use_unpriv_user_tty',`
########################################
##
+## Inherit the file descriptors from all user domains
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`userdom_use_all_user_fd',`
+ gen_require(`
+ attribute userdomain;
+ class fd use;
+ ')
+
+ allow $1 userdomain:fd use;
+')
+
+########################################
+##
+## Send general signals to all user domains.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`userdom_signal_all_users',`
+ gen_require(`
+ attribute userdomain;
+ class process signal;
+ ')
+
+ allow $1 userdomain:process signal;
+')
+
+########################################
+##
## Unconfined access to user domains.
##
##
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index b32e891..2ad973e 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -117,6 +117,10 @@ ifdef(`targeted_policy',`
clock_run(sysadm_t,sysadm_r,admin_terminal)
')
+ optional_policy(`firstboot.te',`
+ firstboot_run(sysadm_t,sysadm_r,sysadm_tty_device_t)
+ ')
+
optional_policy(`fstools.te',`
fstools_run(sysadm_t,sysadm_r,admin_terminal)
')