add firstboot

2005-08-17 14:14:07 +00:00 · 2005-08-17 14:14:07 +00:00 · 57a96cbd0b
commit 57a96cbd0b
parent 2d803edc73
13 changed files with 614 additions and 70 deletions
--- a/refpolicy/policy/modules/admin/consoletype.te
+++ b/refpolicy/policy/modules/admin/consoletype.te
@ -67,6 +67,12 @@ optional_policy(`cron.te',`
 	cron_read_pipe(consoletype_t)
 ')

+optional_policy(`firstboot.te',`
+	files_read_etc_files(consoletype_t)
+	firstboot_use_fd(consoletype_t)
+	firstboot_write_pipe(consoletype_t)
+')
+
 optional_policy(`logrotate.te',`
 	logrotate_dontaudit_use_fd(consoletype_t)
 ')
@ -102,8 +108,4 @@ optional_policy(`lpd.te', `
 allow consoletype_t printconf_t:file r_file_perms;
 ')

-optional_policy(`firstboot.te', `
-allow consoletype_t firstboot_t:fifo_file write;
-')
-
 ') dnl end TODO
--- a/refpolicy/policy/modules/admin/firstboot.fc
+++ b/refpolicy/policy/modules/admin/firstboot.fc
@ -0,0 +1,5 @@
+# firstboot
+/usr/sbin/firstboot		--	context_template(system_u:object_r:firstboot_exec_t,s0)
+
+/usr/share/firstboot			context_template(system_u:object_r:firstboot_rw_t,s0)
+/usr/share/firstboot/firstboot\.py --	context_template(system_u:object_r:firstboot_exec_t,s0)
--- a/refpolicy/policy/modules/admin/firstboot.if
+++ b/refpolicy/policy/modules/admin/firstboot.if
@ -0,0 +1,88 @@
+## <summary>
+##	Final system configuration run during the first boot
+##	after installation of Red Hat/Fedora systems.
+## </summary>
+
+########################################
+## <summary>
+##	Execute firstboot in the firstboot domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`firstboot_domtrans',`
+	gen_require(`
+		type firstboot_t, firstboot_exec_t;
+		class process sigchld;
+		class fd use;
+		class fifo_file rw_file_perms;
+	')
+
+	domain_auto_trans($1,firstboot_exec_t,firstboot_t)
+
+	allow $1 firstboot_t:fd use;
+	allow firstboot_t $1:fd use;
+	allow firstboot_t $1:fifo_file rw_file_perms;
+	allow firstboot_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute firstboot in the firstboot domain, and
+##	allow the specified role the firstboot domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="role">
+##	The role to be allowed the firstboot domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the firstboot domain to use.
+## </param>
+#
+interface(`firstboot_run',`
+	gen_require(`
+		type firstboot_t;
+		class chr_file rw_term_perms;
+	')
+
+	firstboot_domtrans($1)
+	role $2 types firstboot_t;
+	allow firstboot_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+##	Inherit and use a file descriptor from firstboot.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`firstboot_use_fd',`
+	gen_require(`
+		type firstboot_t;
+		class fd use;
+	')
+
+	allow $1 firstboot_t:fd use;
+')
+
+########################################
+## <summary>
+##	Write to a firstboot unnamed pipe.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`firstboot_write_pipe',`
+	gen_require(`
+		type firstboot_t;
+		class fifo_file write;
+	')
+
+	allow $1 firstboot_t:fifo_file write;
+')
--- a/refpolicy/policy/modules/admin/firstboot.te
+++ b/refpolicy/policy/modules/admin/firstboot.te
@ -0,0 +1,136 @@
+
+policy_module(firstboot,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type firstboot_t;
+type firstboot_exec_t;
+init_system_domain(firstboot_t,firstboot_exec_t)
+domain_obj_id_change_exempt(firstboot_t)
+role system_r types firstboot_t;
+
+type firstboot_etc_t; #, usercanread;
+files_type(firstboot_etc_t)
+
+type firstboot_rw_t;
+files_type(firstboot_rw_t)
+
+########################################
+#
+# Local policy
+#
+
+allow firstboot_t self:capability { dac_override setgid };
+allow firstboot_t self:process setfscreate;
+allow firstboot_t self:file { read write };
+allow firstboot_t self:fifo_file { getattr read write };
+allow firstboot_t self:tcp_socket create_stream_socket_perms;
+allow firstboot_t self:unix_stream_socket { connect create };
+allow firstboot_t self:passwd rootok;
+
+allow firstboot_t firstboot_etc_t:file { getattr read };
+
+allow firstboot_t firstboot_rw_t:dir create_dir_perms;
+allow firstboot_t firstboot_rw_t:file create_file_perms;
+files_create_etc_config(firstboot_t,firstboot_rw_t,file)
+
+# The big hammer
+unconfined_domain_template(firstboot_t) 
+
+kernel_read_system_state(firstboot_t)
+kernel_read_kernel_sysctl(firstboot_t)
+
+corenet_tcp_sendrecv_all_if(firstboot_t)
+corenet_raw_sendrecv_all_if(firstboot_t)
+corenet_tcp_sendrecv_all_nodes(firstboot_t)
+corenet_raw_sendrecv_all_nodes(firstboot_t)
+corenet_tcp_sendrecv_all_ports(firstboot_t)
+corenet_tcp_bind_all_nodes(firstboot_t)
+
+dev_read_urand(firstboot_t)
+
+selinux_get_fs_mount(firstboot_t)
+selinux_validate_context(firstboot_t)
+selinux_compute_access_vector(firstboot_t)
+selinux_compute_create_context(firstboot_t)
+selinux_compute_relabel_context(firstboot_t)
+selinux_compute_user_contexts(firstboot_t)
+
+auth_dontaudit_getattr_shadow(firstboot_t)
+
+corecmd_exec_bin(firstboot_t)
+corecmd_exec_sbin(firstboot_t)
+
+domain_exec_all_entry_files(firstboot_t)
+
+files_exec_etc_files(firstboot_t)
+files_manage_etc_files(firstboot_t)
+files_read_etc_runtime_files(firstboot_t)
+files_read_usr_files(firstboot_t)
+files_manage_var_dirs(firstboot_t)
+files_manage_var_files(firstboot_t)
+files_manage_var_symlinks(firstboot_t)
+
+init_read_script(firstboot_t)
+init_rw_script_pid(firstboot_t)
+
+libs_use_ld_so(firstboot_t)
+libs_use_shared_libs(firstboot_t)
+libs_exec_ld_so(firstboot_t)
+libs_exec_lib_files(firstboot_t)
+
+locallogin_use_fd(firstboot_t)
+
+logging_send_syslog_msg(firstboot_t)
+
+miscfiles_read_localization(firstboot_t)
+
+modutils_domtrans_insmod(firstboot_t)
+modutils_read_module_conf(firstboot_t)
+modutils_read_mods_deps(firstboot_t)
+
+sysnet_manage_config(firstboot_t)
+
+# Add/remove user home directories
+userdom_create_user_home_dir(firstboot_t)
+userdom_manage_user_home_dir(firstboot_t)
+userdom_create_user_home(firstboot_t,{ dir file lnk_file fifo_file sock_file })
+userdom_manage_user_home_dirs(firstboot_t)
+userdom_manage_user_home_files(firstboot_t)
+userdom_manage_user_home_symlinks(firstboot_t)
+userdom_manage_user_home_pipes(firstboot_t)
+userdom_manage_user_home_sockets(firstboot_t)
+usermanage_domtrans_useradd(firstboot_t)
+usermanage_domtrans_groupadd(firstboot_t)
+
+optional_policy(`kerberos.te',`
+	kerberos_rw_config(firstboot_t)
+')
+
+optional_policy(`nis.te',`
+	nis_use_ypbind(firstboot_t)
+')
+
+ifdef(`TODO',`
+allow firstboot_t proc_t:file write;
+
+ifdef(`printconf.te', `
+	can_exec(firstboot_t, printconf_t)
+')
+
+ifdef(`samba.te', `
+	rw_dir_file(firstboot_t, samba_etc_t)
+')
+
+ifdef(`userhelper.te', `
+	role system_r types sysadm_userhelper_t;
+	domain_auto_trans(firstboot_t, userhelper_exec_t, sysadm_userhelper_t)
+')
+
+ifdef(`xserver.te', `
+	domain_auto_trans(firstboot_t, xserver_exec_t, xdm_xserver_t)
+')
+') dnl end TODO
--- a/refpolicy/policy/modules/services/kerberos.if
+++ b/refpolicy/policy/modules/services/kerberos.if
@ -68,7 +68,7 @@ interface(`kerberos_use',`
 ##	Domain allowed access.
 ## </param>
 #
-interface(`kerberos_read_conf',`
+interface(`kerberos_read_config',`
 	gen_require(`
 		type krb5_conf_t;
 		class files r_file_perms;
@ -77,3 +77,21 @@ interface(`kerberos_read_conf',`
 	files_search_etc($1)
 	allow $1 krb5_conf_t:file r_file_perms;
 ')
+
+########################################
+## <summary>
+##	Read and write the kerberos configuration file (/etc/krb5.conf).
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`kerberos_rw_config',`
+	gen_require(`
+		type krb5_conf_t;
+		class files rw_file_perms;
+	')
+
+	files_search_etc($1)
+	allow $1 krb5_conf_t:file rw_file_perms;
+')
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@ -546,12 +546,6 @@ interface(`files_create_root',`
 	gen_require(`
 		type root_t;
 		class dir create_dir_perms;
-		class file create_file_perms;
-		class lnk_file create_lnk_perms;
-		class fifo_file create_file_perms;
-		class sock_file create_file_perms;
-		class blk_file create_file_perms;
-		class chr_file create_file_perms;
 	')

 	allow $1 root_t:dir rw_dir_perms;
@ -1692,6 +1686,24 @@ interface(`files_dontaudit_search_var',`
 	dontaudit $1 var_t:dir search;
 ')

+########################################
+## <summary>
+##	Create, read, write, and delete directories
+##	in the /var directory.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_manage_var_dirs',`
+	gen_require(`
+		type var_t;
+		class dir create_dir_perms;
+	')
+
+	allow $1 var_t:dir create_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read files in the /var directory.
@ -1711,6 +1723,25 @@ interface(`files_read_var_files',`
 	allow $1 var_t:file r_file_perms;
 ')

+########################################
+## <summary>
+##	Create, read, write, and delete files in the /var directory.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_manage_var_files',`
+	gen_require(`
+		type var_t;
+		class dir rw_dir_perms;
+		class file create_file_perms;
+	')
+
+	allow $1 var_t:dir rw_dir_perms;
+	allow $1 var_t:file create_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read symbolic links in the /var directory.
@ -1730,6 +1761,26 @@ interface(`files_read_var_symlink',`
 	allow $1 var_t:lnk_file { getattr read };
 ')

+########################################
+## <summary>
+##	Create, read, write, and delete symbolic
+##	links in the /var directory.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_manage_var_symlinks',`
+	gen_require(`
+		type var_t;
+		class dir rw_dir_perms;
+		class lnk_file create_lnk_perms;
+	')
+
+	allow $1 var_t:dir rw_dir_perms;
+	allow $1 var_t:lnk_file create_lnk_perms;
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of the /var/lib directory.
--- a/refpolicy/policy/modules/system/hostname.te
+++ b/refpolicy/policy/modules/system/hostname.te
@ -78,6 +78,10 @@ tunable_policy(`use_dns',`
 	sysnet_read_config(hostname_t)
 ')

+optional_policy(`firstboot.te',`
+	firstboot_use_fd(hostname_t)
+')
+
 optional_policy(`hotplug.te',`
 	hotplug_dontaudit_use_fd(hostname_t)
 ')
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@ -301,6 +301,13 @@ interface(`init_domtrans_script',`
 ## <summary>
 ##	Start and stop daemon programs directly.
 ## </summary>
+## <desc>
+##	<p>
+##	Start and stop daemon programs directly
+##	in the traditional "/etc/init.d/daemon start"
+##	style, and do not require run_init.
+##	</p>
+## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
@ -323,6 +330,24 @@ interface(`init_run_daemon',`
 	dontaudit direct_init $3:chr_file rw_file_perms;
 ')

+########################################
+## <summary>
+##	Read init scripts.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`init_read_script',`
+	gen_require(`
+		type initrc_exec_t;
+		class file { getattr read };
+	')
+
+	files_list_etc($1)
+	allow $1 initrc_exec_t:file { getattr read };
+')
+
 ########################################
 #
 # init_exec_script(domain)
@ -440,8 +465,21 @@ interface(`init_udp_sendto_script',`
 ')

 ########################################
-#
-# init_use_script_pty(domain)
+## <summary>
+##	Read and write the init script pty.
+## </summary>
+## <desc>
+##	<p>
+##	Read and write the init script pty.  This
+##	pty is generally opened by the open_init_pty
+##	portion of the run_init program so that the
+##	daemon does not require direct access to
+##	the administrator terminal.
+##	</p>
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`init_use_script_pty',`
 	gen_require(`
@ -453,6 +491,24 @@ interface(`init_use_script_pty',`
 	allow $1 initrc_devpts_t:chr_file rw_term_perms;
 ')

+########################################
+## <summary>
+##	Read init scripts.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`init_read_script_file',`
+	gen_require(`
+		type initrc_exec_t;
+		class file r_file_perms;
+	')
+
+	files_search_etc($1)
+	allow $1 initrc_exec_t:file r_file_perms;
+')
+
 ########################################
 #
 # init_dontaudit_use_script_pty(domain)
--- a/refpolicy/policy/modules/system/iptables.te
+++ b/refpolicy/policy/modules/system/iptables.te
@ -92,6 +92,11 @@ tunable_policy(`use_dns',`
 	sysnet_read_config(iptables_t)
 ')

+optional_policy(`firstboot.te',`
+	firstboot_use_fd(iptables_t)
+	firstboot_write_pipe(iptables_t)
+')
+
 optional_policy(`modutils.te', `
 	corecmd_search_sbin(iptables_t)
 	modutils_domtrans_insmod(iptables_t)
@ -118,8 +123,4 @@ rhgb_domain(iptables_t)
 optional_policy(`gnome-pty-helper.te',`
 	allow iptables_t sysadm_gph_t:fd use;
 ')
-
-optional_policy(`firstboot.te', `
-	allow iptables_t firstboot_t:fifo_file write;
-')
 ') dnl ifdef TODO
--- a/refpolicy/policy/modules/system/pcmcia.te
+++ b/refpolicy/policy/modules/system/pcmcia.te
@ -104,6 +104,7 @@ miscfiles_read_localization(cardmgr_t)

 sysnet_domtrans_ifconfig(cardmgr_t)
 # for /etc/resolv.conf
+sysnet_create_config(cardmgr_t)
 sysnet_manage_config(cardmgr_t)

 userdom_dontaudit_use_unpriv_user_fd(cardmgr_t)
--- a/refpolicy/policy/modules/system/sysnetwork.if
+++ b/refpolicy/policy/modules/system/sysnetwork.if
@ -163,6 +163,24 @@ interface(`sysnet_read_config',`
 	allow $1 net_conf_t:file r_file_perms;
 ')

+#######################################
+## <summary>
+##	Create files in /etc with the type used for
+##	the network config files.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`sysnet_create_config',`
+	gen_require(`
+		type net_conf_t;
+		class file create_file_perms;
+	')
+
+	files_create_etc_config($1,net_conf_t,file)
+')
+
 #######################################
 ## <summary>
 ##	Create, read, write, and delete network config files.
@ -177,8 +195,7 @@ interface(`sysnet_manage_config',`
 		class file create_file_perms;
 	')

-	allow $1 net_conf_t:file r_file_perms;
-	files_create_etc_config($1,net_conf_t,file)
+	allow $1 net_conf_t:file create_file_perms;
 ')

 #######################################
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@ -1248,57 +1248,6 @@ interface(`userdom_read_all_user_files',`
 	allow $1 home_type:file r_file_perms;
 ')

-########################################
-## <summary>
-##	Write all unprivileged users files in /tmp
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`userdom_write_unpriv_user_tmp',`
-	gen_require(`
-		attribute user_tmpfile;
-		class file { getattr write append };
-	')
-
-	allow $1 user_tmpfile:file { getattr write append };
-')
-
-########################################
-## <summary>
-##	Inherit the file descriptors from all user domains
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`userdom_use_all_user_fd',`
-	gen_require(`
-		attribute userdomain;
-		class fd use;
-	')
-
-	allow $1 userdomain:fd use;
-')
-
-########################################
-## <summary>
-##	Send general signals to all user domains.
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`userdom_signal_all_users',`
-	gen_require(`
-		attribute userdomain;
-		class process signal;
-	')
-
-	allow $1 userdomain:process signal;
-')
-
 ########################################
 ## <summary>
 ##	Send general signals to unprivileged user domains.
@ -1351,6 +1300,184 @@ interface(`userdom_dontaudit_use_unpriv_user_fd',`
 	dontaudit $1 unpriv_userdomain:fd use;
 ')

+########################################
+## <summary>
+##	Create generic user home directories
+##	with automatic file type transition.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`userdom_create_user_home_dir',`
+	gen_require(`
+		type user_home_dir_t;
+	')
+
+	files_create_home_dirs($1,user_home_dir_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	generic user home directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`userdom_manage_user_home_dir',`
+	gen_require(`
+		type user_home_dir_t;
+		class dir create_dir_perms;
+	')
+
+	allow $1 user_home_dir_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create objects in generic user home directories
+##	with automatic file type transition.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+## <param name="object_class" optional="true">
+##	The class of the object to be created.
+##	If not specified, file is used.
+## </param>
+#
+interface(`userdom_create_user_home',`
+	gen_require(`
+		type user_home_dir_t, user_home_t;
+		class dir rw_dir_perms;
+	')
+
+	allow $1 etc_t:dir rw_dir_perms;
+	ifelse(`$2',`',`
+		type_transition $1 user_home_dir_t:file user_home_t;
+	',`
+		type_transition $1 user_home_dir_t:$2 user_home_t;
+	')
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	subdirectories of generic user
+##	home directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`userdom_manage_user_home_dirs',`
+	gen_require(`
+		type user_home_t;
+		class dir create_dir_perms;
+	')
+
+	allow $1 user_home_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete files
+##	in generic user home directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`userdom_manage_user_home_files',`
+	gen_require(`
+		type user_home_t;
+		class dir rw_dir_perms;
+		class file create_file_perms;
+	')
+
+	allow $1 user_home_t:dir rw_dir_perms;
+	allow $1 user_home_t:file create_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete symbolic
+##	links in generic user home directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`userdom_manage_user_home_symlinks',`
+	gen_require(`
+		type user_home_t;
+		class dir rw_dir_perms;
+		class lnk_file create_lnk_perms;
+	')
+
+	allow $1 user_home_t:dir rw_dir_perms;
+	allow $1 user_home_t:lnk_file create_lnk_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete named
+##	pipes in generic user home directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`userdom_manage_user_home_pipes',`
+	gen_require(`
+		type user_home_t;
+		class dir rw_dir_perms;
+		class fifo_file create_file_perms;
+	')
+
+	allow $1 user_home_t:dir rw_dir_perms;
+	allow $1 user_home_t:fifo_file create_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete named
+##	sockets in generic user home directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`userdom_manage_user_home_sockets',`
+	gen_require(`
+		type user_home_t;
+		class dir rw_dir_perms;
+		class sock_file create_file_perms;
+	')
+
+	allow $1 user_home_t:dir rw_dir_perms;
+	allow $1 user_home_t:sock_file create_file_perms;
+')
+
+########################################
+## <summary>
+##	Write all unprivileged users files in /tmp
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`userdom_write_unpriv_user_tmp',`
+	gen_require(`
+		attribute user_tmpfile;
+		class file { getattr write append };
+	')
+
+	allow $1 user_tmpfile:file { getattr write append };
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to use unprivileged
@ -1369,6 +1496,40 @@ interface(`userdom_dontaudit_use_unpriv_user_tty',`
 	dontaudit $1 user_ttynode:chr_file rw_file_perms;
 ')

+########################################
+## <summary>
+##	Inherit the file descriptors from all user domains
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`userdom_use_all_user_fd',`
+	gen_require(`
+		attribute userdomain;
+		class fd use;
+	')
+
+	allow $1 userdomain:fd use;
+')
+
+########################################
+## <summary>
+##	Send general signals to all user domains.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`userdom_signal_all_users',`
+	gen_require(`
+		attribute userdomain;
+		class process signal;
+	')
+
+	allow $1 userdomain:process signal;
+')
+
 ########################################
 ## <summary>
 ##	Unconfined access to user domains.
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@ -117,6 +117,10 @@ ifdef(`targeted_policy',`
 		clock_run(sysadm_t,sysadm_r,admin_terminal)
 	')

+	optional_policy(`firstboot.te',`
+		firstboot_run(sysadm_t,sysadm_r,sysadm_tty_device_t)
+	')
+
 	optional_policy(`fstools.te',`
 		fstools_run(sysadm_t,sysadm_r,admin_terminal)
 	')