selinux-policy/targeted/domains/program/firstboot.te

#DESC firstboot
#
# Author:  Dan Walsh <dwalsh@redhat.com>
# X-Debian-Packages: firstboot
#

#################################
#
# Rules for the firstboot_t domain.
#
# firstboot_exec_t is the type of the firstboot executable.
#
application_domain(firstboot,`, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, privuser, sysctl_kernel_writer')
type firstboot_rw_t, file_type, sysadmfile;
role system_r types firstboot_t;

ifdef(`xserver.te', `
domain_auto_trans(firstboot_t, xserver_exec_t, xdm_xserver_t)
')

etc_domain(firstboot)

allow firstboot_t proc_t:file r_file_perms;

allow firstboot_t urandom_device_t:chr_file { getattr read };
allow firstboot_t proc_t:file { getattr read write };

domain_auto_trans(initrc_t, firstboot_exec_t, firstboot_t)
file_type_auto_trans(firstboot_t, etc_t, firstboot_rw_t, file)

can_exec_any(firstboot_t)
ifdef(`useradd.te',`
domain_auto_trans(firstboot_t, useradd_exec_t, useradd_t)
domain_auto_trans(firstboot_t, groupadd_exec_t, groupadd_t)
')
allow firstboot_t etc_runtime_t:file { getattr read };

r_dir_file(firstboot_t, etc_t)

allow firstboot_t firstboot_rw_t:dir create_dir_perms;
allow firstboot_t firstboot_rw_t:file create_file_perms;
allow firstboot_t self:fifo_file { getattr read write };
allow firstboot_t self:process { fork sigchld };
allow firstboot_t self:unix_stream_socket { connect create };
allow firstboot_t initrc_exec_t:file { getattr read };
allow firstboot_t initrc_var_run_t:file r_file_perms;
allow firstboot_t lib_t:file { getattr read };
allow firstboot_t local_login_t:fd use;
read_locale(firstboot_t)

allow firstboot_t proc_t:dir search;
allow firstboot_t { devtty_t sysadm_tty_device_t }:chr_file rw_file_perms;
allow firstboot_t usr_t:file r_file_perms;

allow firstboot_t etc_t:file write;

# Allow write to utmp file
allow firstboot_t initrc_var_run_t:file write;

ifdef(`samba.te', `
rw_dir_file(firstboot_t, samba_etc_t)
')

dontaudit firstboot_t shadow_t:file getattr;

role system_r types initrc_t;
#role_transition firstboot_r initrc_exec_t system_r;
domain_auto_trans(firstboot_t, initrc_exec_t, initrc_t)

allow firstboot_t self:passwd rootok;

ifdef(`userhelper.te', `
role system_r types sysadm_userhelper_t;
domain_auto_trans(firstboot_t, userhelper_exec_t, sysadm_userhelper_t)
')

ifdef(`consoletype.te', `
allow consoletype_t devtty_t:chr_file { read write };
allow consoletype_t etc_t:file { getattr read };
allow consoletype_t firstboot_t:fd use;
')

allow firstboot_t etc_t:{ file lnk_file } create_file_perms;

allow firstboot_t self:capability { dac_override setgid };
allow firstboot_t self:dir search;
allow firstboot_t self:file { read write };
allow firstboot_t self:lnk_file read;
can_setfscreate(firstboot_t)
allow firstboot_t krb5_conf_t:file rw_file_perms;

allow firstboot_t modules_conf_t:file { getattr read };
allow firstboot_t modules_dep_t:file { getattr read };
allow firstboot_t modules_object_t:dir search;
allow firstboot_t port_t:tcp_socket { recv_msg send_msg };
allow firstboot_t proc_t:lnk_file read;

can_getsecurity(firstboot_t)

dontaudit firstboot_t sysadm_t:process { noatsecure rlimitinh siginh transition };
read_sysctl(firstboot_t)

allow firstboot_t var_run_t:dir getattr;
allow firstboot_t var_t:dir getattr;
ifdef(`hostname.te', `
allow hostname_t devtty_t:chr_file { read write };
allow hostname_t firstboot_t:fd use;
')
ifdef(`iptables.te', `
allow iptables_t devtty_t:chr_file { read write };
allow iptables_t firstboot_t:fd use;
allow iptables_t firstboot_t:fifo_file write;
')
can_network_server(firstboot_t)
can_ypbind(firstboot_t)
ifdef(`printconf.te', `
can_exec(firstboot_t, printconf_t)
')
create_dir_file(firstboot_t, var_t)
# Add/remove user home directories
file_type_auto_trans(firstboot_t, home_root_t, user_home_dir_t, dir)
file_type_auto_trans(firstboot_t, user_home_dir_t, user_home_t)

#
# The big hammer
#
unconfined_domain(firstboot_t) 
ifdef(`targeted_policy', `
allow firstboot_t unconfined_t:process transition;
')