## ## Final system configuration run during the first boot ## after installation of Red Hat/Fedora systems. ## ######################################## ## ## Execute firstboot in the firstboot domain. ## ## ## ## Domain allowed access. ## ## # interface(`firstboot_domtrans',` gen_require(` type firstboot_t, firstboot_exec_t; ') domtrans_pattern($1, firstboot_exec_t, firstboot_t) ') ######################################## ## ## Execute firstboot in the firstboot domain, and ## allow the specified role the firstboot domain. ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed the firstboot domain. ## ## # interface(`firstboot_run',` gen_require(` type firstboot_t; ') firstboot_domtrans($1) role $2 types firstboot_t; ') ######################################## ## ## Inherit and use a file descriptor from firstboot. ## ## ## ## Domain allowed access. ## ## # interface(`firstboot_use_fds',` gen_require(` type firstboot_t; ') allow $1 firstboot_t:fd use; ') ######################################## ## ## Do not audit attempts to inherit a ## file descriptor from firstboot. ## ## ## ## Domain to not audit. ## ## # interface(`firstboot_dontaudit_use_fds',` gen_require(` type firstboot_t; ') dontaudit $1 firstboot_t:fd use; ') ######################################## ## ## Write to a firstboot unnamed pipe. ## ## ## ## Domain allowed access. ## ## # interface(`firstboot_write_pipes',` gen_require(` type firstboot_t; ') allow $1 firstboot_t:fifo_file write; ') ######################################## ## ## Read and Write to a firstboot unnamed pipe. ## ## ## ## Domain allowed access. ## ## # interface(`firstboot_rw_pipes',` gen_require(` type firstboot_t; ') allow $1 firstboot_t:fifo_file { read write }; ') ######################################## ## ## Do not audit attemps to read and write to a firstboot unnamed pipe. ## ## ## ## Domain to not audit. ## ## # interface(`firstboot_dontaudit_rw_pipes',` gen_require(` type firstboot_t; ') dontaudit $1 firstboot_t:fifo_file { read write }; ') ######################################## ## ## Do not audit attemps to read and write to a firstboot ## unix domain stream socket. ## ## ## ## Domain to not audit. ## ## # interface(`firstboot_dontaudit_rw_stream_sockets',` gen_require(` type firstboot_t; ') dontaudit $1 firstboot_t:unix_stream_socket { read write }; ')