2005-04-29 17:45:15 +00:00
|
|
|
#DESC firstboot
|
|
|
|
#
|
|
|
|
# Author: Dan Walsh <dwalsh@redhat.com>
|
|
|
|
# X-Debian-Packages: firstboot
|
|
|
|
#
|
|
|
|
|
|
|
|
#################################
|
|
|
|
#
|
|
|
|
# Rules for the firstboot_t domain.
|
|
|
|
#
|
|
|
|
# firstboot_exec_t is the type of the firstboot executable.
|
|
|
|
#
|
2005-09-15 15:34:31 +00:00
|
|
|
application_domain(firstboot,`, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, privuser, sysctl_kernel_writer')
|
2005-04-29 17:45:15 +00:00
|
|
|
type firstboot_rw_t, file_type, sysadmfile;
|
|
|
|
role system_r types firstboot_t;
|
|
|
|
|
|
|
|
ifdef(`xserver.te', `
|
|
|
|
domain_auto_trans(firstboot_t, xserver_exec_t, xdm_xserver_t)
|
|
|
|
')
|
|
|
|
|
|
|
|
etc_domain(firstboot)
|
|
|
|
|
|
|
|
allow firstboot_t proc_t:file r_file_perms;
|
|
|
|
|
|
|
|
allow firstboot_t urandom_device_t:chr_file { getattr read };
|
|
|
|
allow firstboot_t proc_t:file { getattr read write };
|
|
|
|
|
|
|
|
domain_auto_trans(initrc_t, firstboot_exec_t, firstboot_t)
|
|
|
|
file_type_auto_trans(firstboot_t, etc_t, firstboot_rw_t, file)
|
|
|
|
|
|
|
|
can_exec_any(firstboot_t)
|
2005-09-15 15:34:31 +00:00
|
|
|
ifdef(`useradd.te',`
|
2005-04-29 17:45:15 +00:00
|
|
|
domain_auto_trans(firstboot_t, useradd_exec_t, useradd_t)
|
|
|
|
domain_auto_trans(firstboot_t, groupadd_exec_t, groupadd_t)
|
2005-09-15 15:34:31 +00:00
|
|
|
')
|
2005-04-29 17:45:15 +00:00
|
|
|
allow firstboot_t etc_runtime_t:file { getattr read };
|
|
|
|
|
|
|
|
r_dir_file(firstboot_t, etc_t)
|
|
|
|
|
|
|
|
allow firstboot_t firstboot_rw_t:dir create_dir_perms;
|
|
|
|
allow firstboot_t firstboot_rw_t:file create_file_perms;
|
|
|
|
allow firstboot_t self:fifo_file { getattr read write };
|
|
|
|
allow firstboot_t self:process { fork sigchld };
|
|
|
|
allow firstboot_t self:unix_stream_socket { connect create };
|
|
|
|
allow firstboot_t initrc_exec_t:file { getattr read };
|
|
|
|
allow firstboot_t initrc_var_run_t:file r_file_perms;
|
|
|
|
allow firstboot_t lib_t:file { getattr read };
|
|
|
|
allow firstboot_t local_login_t:fd use;
|
|
|
|
read_locale(firstboot_t)
|
|
|
|
|
|
|
|
allow firstboot_t proc_t:dir search;
|
|
|
|
allow firstboot_t { devtty_t sysadm_tty_device_t }:chr_file rw_file_perms;
|
|
|
|
allow firstboot_t usr_t:file r_file_perms;
|
|
|
|
|
|
|
|
allow firstboot_t etc_t:file write;
|
|
|
|
|
|
|
|
# Allow write to utmp file
|
|
|
|
allow firstboot_t initrc_var_run_t:file write;
|
|
|
|
|
|
|
|
allow firstboot_t krb5_conf_t:file { getattr read };
|
|
|
|
allow firstboot_t net_conf_t:file { getattr read };
|
|
|
|
|
|
|
|
ifdef(`samba.te', `
|
|
|
|
rw_dir_file(firstboot_t, samba_etc_t)
|
|
|
|
')
|
|
|
|
|
|
|
|
dontaudit firstboot_t shadow_t:file getattr;
|
|
|
|
|
|
|
|
role system_r types initrc_t;
|
|
|
|
#role_transition firstboot_r initrc_exec_t system_r;
|
|
|
|
domain_auto_trans(firstboot_t, initrc_exec_t, initrc_t)
|
|
|
|
|
|
|
|
allow firstboot_t self:passwd rootok;
|
|
|
|
|
|
|
|
ifdef(`userhelper.te', `
|
|
|
|
role system_r types sysadm_userhelper_t;
|
|
|
|
domain_auto_trans(firstboot_t, userhelper_exec_t, sysadm_userhelper_t)
|
|
|
|
')
|
|
|
|
|
|
|
|
ifdef(`consoletype.te', `
|
|
|
|
allow consoletype_t devtty_t:chr_file { read write };
|
|
|
|
allow consoletype_t etc_t:file { getattr read };
|
|
|
|
allow consoletype_t firstboot_t:fd use;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow firstboot_t etc_t:{ file lnk_file } create_file_perms;
|
|
|
|
|
|
|
|
allow firstboot_t self:capability { dac_override setgid };
|
|
|
|
allow firstboot_t self:dir search;
|
|
|
|
allow firstboot_t self:file { read write };
|
|
|
|
allow firstboot_t self:lnk_file read;
|
|
|
|
can_setfscreate(firstboot_t)
|
|
|
|
allow firstboot_t krb5_conf_t:file rw_file_perms;
|
|
|
|
|
|
|
|
allow firstboot_t modules_conf_t:file { getattr read };
|
|
|
|
allow firstboot_t modules_dep_t:file { getattr read };
|
|
|
|
allow firstboot_t modules_object_t:dir search;
|
|
|
|
allow firstboot_t net_conf_t:file rw_file_perms;
|
|
|
|
allow firstboot_t netif_lo_t:netif { tcp_recv tcp_send };
|
|
|
|
allow firstboot_t node_t:node { tcp_recv tcp_send };
|
|
|
|
|
|
|
|
allow firstboot_t port_t:tcp_socket { recv_msg send_msg };
|
|
|
|
allow firstboot_t proc_t:lnk_file read;
|
|
|
|
|
|
|
|
can_getsecurity(firstboot_t)
|
|
|
|
|
|
|
|
dontaudit firstboot_t sysadm_t:process { noatsecure rlimitinh siginh transition };
|
|
|
|
read_sysctl(firstboot_t)
|
|
|
|
|
|
|
|
allow firstboot_t var_run_t:dir getattr;
|
|
|
|
allow firstboot_t var_t:dir getattr;
|
2005-09-15 15:34:31 +00:00
|
|
|
ifdef(`hostname.te', `
|
2005-04-29 17:45:15 +00:00
|
|
|
allow hostname_t devtty_t:chr_file { read write };
|
|
|
|
allow hostname_t firstboot_t:fd use;
|
2005-09-15 15:34:31 +00:00
|
|
|
')
|
2005-04-29 17:45:15 +00:00
|
|
|
ifdef(`iptables.te', `
|
|
|
|
allow iptables_t devtty_t:chr_file { read write };
|
|
|
|
allow iptables_t firstboot_t:fd use;
|
|
|
|
allow iptables_t firstboot_t:fifo_file write;
|
|
|
|
')
|
|
|
|
can_network_server(firstboot_t)
|
|
|
|
can_ypbind(firstboot_t)
|
|
|
|
ifdef(`printconf.te', `
|
|
|
|
can_exec(firstboot_t, printconf_t)
|
|
|
|
')
|
|
|
|
create_dir_file(firstboot_t, var_t)
|
|
|
|
# Add/remove user home directories
|
|
|
|
file_type_auto_trans(firstboot_t, home_root_t, user_home_dir_t, dir)
|
|
|
|
file_type_auto_trans(firstboot_t, user_home_dir_t, user_home_t)
|
|
|
|
|
|
|
|
#
|
|
|
|
# The big hammer
|
|
|
|
#
|
|
|
|
unconfined_domain(firstboot_t)
|
2005-09-15 15:34:31 +00:00
|
|
|
ifdef(`targeted_policy', `
|
|
|
|
allow firstboot_t unconfined_t:process transition;
|
|
|
|
')
|
2005-04-29 17:45:15 +00:00
|
|
|
|