Changes to the firstboot policy module

Ported from Fedora Add init script file type Module clean up Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
TresysTechnology · Oct 1, 2012 · 37a1010 · 37a1010
1 parent ad9a2cc
commit 37a1010
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 56 deletions.
diff --git a/firstboot.fc b/firstboot.fc
@@ -1,3 +1,5 @@
-/usr/sbin/firstboot		--	gen_context(system_u:object_r:firstboot_exec_t,s0)
+/etc/rc\.d/init\.d/firstboot.*	--	gen_context(system_u:object_r:firstboot_initrc_exec_t,s0)
 
-/usr/share/firstboot/firstboot\.py --	gen_context(system_u:object_r:firstboot_exec_t,s0)
+/usr/sbin/firstboot	--	gen_context(system_u:object_r:firstboot_exec_t,s0)
+
+/usr/share/firstboot/firstboot\.py	--	gen_context(system_u:object_r:firstboot_exec_t,s0)
diff --git a/firstboot.if b/firstboot.if
@@ -1,7 +1,4 @@
-## <summary>
-##	Final system configuration run during the first boot
-##	after installation of Red Hat/Fedora systems.
-## </summary>
+## <summary>Initial system configuration utility.</summary>
 
 ########################################
 ## <summary>
@@ -18,13 +15,15 @@ interface(`firstboot_domtrans',`
 		type firstboot_t, firstboot_exec_t;
 	')
 
+	corecmd_search_bin($1)
 	domtrans_pattern($1, firstboot_exec_t, firstboot_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute firstboot in the firstboot domain, and
-##	allow the specified role the firstboot domain.
+##	Execute firstboot in the firstboot
+##	domain, and allow the specified role
+##	the firstboot domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -39,16 +38,16 @@ interface(`firstboot_domtrans',`
 #
 interface(`firstboot_run',`
 	gen_require(`
-		type firstboot_t;
+		attribute_role firstboot_roles;
 	')
 
 	firstboot_domtrans($1)
-	role $2 types firstboot_t;
+	roleattribute $2 firstboot_roles;
 ')
 
 ########################################
 ## <summary>
-##	Inherit and use a file descriptor from firstboot.
+##	Inherit and use firstboot file descriptors.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -66,8 +65,8 @@ interface(`firstboot_use_fds',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to inherit a
-##	file descriptor from firstboot.
+##	Do not audit attempts to inherit
+##	firstboot file descriptors.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -85,7 +84,7 @@ interface(`firstboot_dontaudit_use_fds',`
 
 ########################################
 ## <summary>
-##	Write to a firstboot unnamed pipe.
+##	Write firstboot unnamed pipes.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -103,7 +102,7 @@ interface(`firstboot_write_pipes',`
 
 ########################################
 ## <summary>
-##	Read and Write to a firstboot unnamed pipe.
+##	Read and Write firstboot unnamed pipes.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -121,7 +120,8 @@ interface(`firstboot_rw_pipes',`
 
 ########################################
 ## <summary>
-## 	Do not audit attemps to read and write to a firstboot unnamed pipe.
+## 	Do not audit attemps to read and
+##	write firstboot unnamed pipes.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -139,8 +139,9 @@ interface(`firstboot_dontaudit_rw_pipes',`
 
 ########################################
 ## <summary>
-## 	Do not audit attemps to read and write to a firstboot
-##	unix domain stream socket.
+## 	Do not audit attemps to read and
+##	write firstboot unix domain
+##	stream sockets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>

diff --git a/firstboot.te b/firstboot.te
@@ -1,20 +1,25 @@
-policy_module(firstboot, 1.12.0)
+policy_module(firstboot, 1.12.1)
 
 gen_require(`
-	class passwd rootok;
+	class passwd { passwd chfn chsh rootok };
 ')
 
 ########################################
 #
 # Declarations
 #
 
+attribute_role firstboot_roles;
+
 type firstboot_t;
 type firstboot_exec_t;
 init_system_domain(firstboot_t, firstboot_exec_t)
 domain_obj_id_change_exemption(firstboot_t)
 domain_subj_id_change_exemption(firstboot_t)
-role system_r types firstboot_t;
+role firstboot_roles types firstboot_t;
+
+type firstboot_initrc_exec_t;
+init_script_file(firstboot_initrc_exec_t)
 
 type firstboot_etc_t;
 files_config_file(firstboot_etc_t)
@@ -28,22 +33,28 @@ allow firstboot_t self:capability { dac_override setgid };
 allow firstboot_t self:process setfscreate;
 allow firstboot_t self:fifo_file rw_fifo_file_perms;
 allow firstboot_t self:tcp_socket create_stream_socket_perms;
-allow firstboot_t self:unix_stream_socket { connect create };
-allow firstboot_t self:passwd rootok;
+allow firstboot_t self:unix_stream_socket create_socket_perms;
+allow firstboot_t self:passwd { rootok passwd chfn chsh };
 
 allow firstboot_t firstboot_etc_t:file read_file_perms;
 
 kernel_read_system_state(firstboot_t)
 kernel_read_kernel_sysctls(firstboot_t)
 
-corenet_all_recvfrom_unlabeled(firstboot_t)
-corenet_all_recvfrom_netlabel(firstboot_t)
-corenet_tcp_sendrecv_generic_if(firstboot_t)
-corenet_tcp_sendrecv_generic_node(firstboot_t)
-corenet_tcp_sendrecv_all_ports(firstboot_t)
+corecmd_exec_all_executables(firstboot_t)
 
 dev_read_urand(firstboot_t)
 
+files_exec_etc_files(firstboot_t)
+files_manage_etc_files(firstboot_t)
+files_manage_etc_runtime_files(firstboot_t)
+files_read_usr_files(firstboot_t)
+files_manage_var_dirs(firstboot_t)
+files_manage_var_files(firstboot_t)
+files_manage_var_symlinks(firstboot_t)
+files_create_boot_flag(firstboot_t)
+files_delete_boot_flag(firstboot_t)
+
 selinux_get_fs_mount(firstboot_t)
 selinux_validate_context(firstboot_t)
 selinux_compute_access_vector(firstboot_t)
@@ -53,16 +64,6 @@ selinux_compute_user_contexts(firstboot_t)
 
 auth_dontaudit_getattr_shadow(firstboot_t)
 
-corecmd_exec_all_executables(firstboot_t)
-
-files_exec_etc_files(firstboot_t)
-files_manage_etc_files(firstboot_t)
-files_manage_etc_runtime_files(firstboot_t)
-files_read_usr_files(firstboot_t)
-files_manage_var_dirs(firstboot_t)
-files_manage_var_files(firstboot_t)
-files_manage_var_symlinks(firstboot_t)
-
 init_domtrans_script(firstboot_t)
 init_rw_utmp(firstboot_t)
 
@@ -75,13 +76,9 @@ logging_send_syslog_msg(firstboot_t)
 
 miscfiles_read_localization(firstboot_t)
 
-modutils_domtrans_insmod(firstboot_t)
-modutils_domtrans_depmod(firstboot_t)
-modutils_read_module_config(firstboot_t)
-modutils_read_module_deps(firstboot_t)
+sysnet_dns_name_resolve(firstboot_t)
 
 userdom_use_user_terminals(firstboot_t)
-# Add/remove user home directories
 userdom_manage_user_home_content_dirs(firstboot_t)
 userdom_manage_user_home_content_files(firstboot_t)
 userdom_manage_user_home_content_symlinks(firstboot_t)
@@ -90,10 +87,6 @@ userdom_manage_user_home_content_sockets(firstboot_t)
 userdom_home_filetrans_user_home_dir(firstboot_t)
 userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file })
 
-optional_policy(`
-	consoletype_domtrans(firstboot_t)
-')
-
 optional_policy(`
 	dbus_system_bus_client(firstboot_t)
 
@@ -102,6 +95,13 @@ optional_policy(`
 	')
 ')
 
+optional_policy(`
+	modutils_domtrans_insmod(firstboot_t)
+	modutils_domtrans_depmod(firstboot_t)
+	modutils_read_module_config(firstboot_t)
+	modutils_read_module_deps(firstboot_t)
+')
+
 optional_policy(`
 	nis_use_ypbind(firstboot_t)
 ')
@@ -112,18 +112,9 @@ optional_policy(`
 
 optional_policy(`
 	unconfined_domtrans(firstboot_t)
-	# The big hammer
 	unconfined_domain(firstboot_t)
 ')
 
-optional_policy(`
-	usermanage_domtrans_chfn(firstboot_t)
-	usermanage_domtrans_groupadd(firstboot_t)
-	usermanage_domtrans_passwd(firstboot_t)
-	usermanage_domtrans_useradd(firstboot_t)
-	usermanage_domtrans_admin_passwd(firstboot_t)
-')
-
 optional_policy(`
 	gnome_manage_config(firstboot_t)
 ')
@@ -132,4 +123,5 @@ optional_policy(`
 	xserver_domtrans(firstboot_t)
 	xserver_rw_shm(firstboot_t)
 	xserver_unconfined(firstboot_t)
+	xserver_stream_connect(firstboot_t)
 ')