[selinux-policy: 568/3172] add firstboot

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 19:53:42 UTC 2010 

commit 57a96cbd0bc3092cc1e131b3e2478349f79c406a
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Wed Aug 17 14:14:07 2005 +0000

    add firstboot

 refpolicy/policy/modules/admin/consoletype.te |   10 +-
 refpolicy/policy/modules/admin/firstboot.fc   |    5 +
 refpolicy/policy/modules/admin/firstboot.if   |   88 ++++++++++
 refpolicy/policy/modules/admin/firstboot.te   |  136 +++++++++++++++
 refpolicy/policy/modules/services/kerberos.if |   20 ++-
 refpolicy/policy/modules/system/files.if      |   63 +++++++-
 refpolicy/policy/modules/system/hostname.te   |    4 +
 refpolicy/policy/modules/system/init.if       |   60 +++++++-
 refpolicy/policy/modules/system/iptables.te   |    9 +-
 refpolicy/policy/modules/system/pcmcia.te     |    1 +
 refpolicy/policy/modules/system/sysnetwork.if |   21 ++-
 refpolicy/policy/modules/system/userdomain.if |  225 +++++++++++++++++++++----
 refpolicy/policy/modules/system/userdomain.te |    4 +
 13 files changed, 595 insertions(+), 51 deletions(-)
---
diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te
index c1ff4e9..1c751aa 100644
--- a/refpolicy/policy/modules/admin/consoletype.te
+++ b/refpolicy/policy/modules/admin/consoletype.te
@@ -67,6 +67,12 @@ optional_policy(`cron.te',`
 	cron_read_pipe(consoletype_t)
 ')
 
+optional_policy(`firstboot.te',`
+	files_read_etc_files(consoletype_t)
+	firstboot_use_fd(consoletype_t)
+	firstboot_write_pipe(consoletype_t)
+')
+
 optional_policy(`logrotate.te',`
 	logrotate_dontaudit_use_fd(consoletype_t)
 ')
@@ -102,8 +108,4 @@ optional_policy(`lpd.te', `
 allow consoletype_t printconf_t:file r_file_perms;
 ')
 
-optional_policy(`firstboot.te', `
-allow consoletype_t firstboot_t:fifo_file write;
-')
-
 ') dnl end TODO
diff --git a/refpolicy/policy/modules/admin/firstboot.fc b/refpolicy/policy/modules/admin/firstboot.fc
new file mode 100644
index 0000000..6d2e5f8
--- /dev/null
+++ b/refpolicy/policy/modules/admin/firstboot.fc
@@ -0,0 +1,5 @@
+# firstboot
+/usr/sbin/firstboot		--	context_template(system_u:object_r:firstboot_exec_t,s0)
+
+/usr/share/firstboot			context_template(system_u:object_r:firstboot_rw_t,s0)
+/usr/share/firstboot/firstboot\.py --	context_template(system_u:object_r:firstboot_exec_t,s0)
diff --git a/refpolicy/policy/modules/admin/firstboot.if b/refpolicy/policy/modules/admin/firstboot.if
new file mode 100644
index 0000000..13678e0
--- /dev/null
+++ b/refpolicy/policy/modules/admin/firstboot.if
@@ -0,0 +1,88 @@
+## <summary>
+##	Final system configuration run during the first boot
+##	after installation of Red Hat/Fedora systems.
+## </summary>
+
+########################################
+## <summary>
+##	Execute firstboot in the firstboot domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`firstboot_domtrans',`
+	gen_require(`
+		type firstboot_t, firstboot_exec_t;
+		class process sigchld;
+		class fd use;
+		class fifo_file rw_file_perms;
+	')
+
+	domain_auto_trans($1,firstboot_exec_t,firstboot_t)
+
+	allow $1 firstboot_t:fd use;
+	allow firstboot_t $1:fd use;
+	allow firstboot_t $1:fifo_file rw_file_perms;
+	allow firstboot_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute firstboot in the firstboot domain, and
+##	allow the specified role the firstboot domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="role">
+##	The role to be allowed the firstboot domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the firstboot domain to use.
+## </param>
+#
+interface(`firstboot_run',`
+	gen_require(`
+		type firstboot_t;
+		class chr_file rw_term_perms;
+	')
+
+	firstboot_domtrans($1)
+	role $2 types firstboot_t;
+	allow firstboot_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+##	Inherit and use a file descriptor from firstboot.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`firstboot_use_fd',`
+	gen_require(`
+		type firstboot_t;
+		class fd use;
+	')
+
+	allow $1 firstboot_t:fd use;
+')
+
+########################################
+## <summary>
+##	Write to a firstboot unnamed pipe.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`firstboot_write_pipe',`
+	gen_require(`
+		type firstboot_t;
+		class fifo_file write;
+	')
+
+	allow $1 firstboot_t:fifo_file write;
+')
diff --git a/refpolicy/policy/modules/admin/firstboot.te b/refpolicy/policy/modules/admin/firstboot.te
new file mode 100644
index 0000000..aaf5090
--- /dev/null
+++ b/refpolicy/policy/modules/admin/firstboot.te
@@ -0,0 +1,136 @@
+
+policy_module(firstboot,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type firstboot_t;
+type firstboot_exec_t;
+init_system_domain(firstboot_t,firstboot_exec_t)
+domain_obj_id_change_exempt(firstboot_t)
+role system_r types firstboot_t;
+
+type firstboot_etc_t; #, usercanread;
+files_type(firstboot_etc_t)
+
+type firstboot_rw_t;
+files_type(firstboot_rw_t)
+
+########################################
+#
+# Local policy
+#
+
+allow firstboot_t self:capability { dac_override setgid };
+allow firstboot_t self:process setfscreate;
+allow firstboot_t self:file { read write };
+allow firstboot_t self:fifo_file { getattr read write };
+allow firstboot_t self:tcp_socket create_stream_socket_perms;
+allow firstboot_t self:unix_stream_socket { connect create };
+allow firstboot_t self:passwd rootok;
+
+allow firstboot_t firstboot_etc_t:file { getattr read };
+
+allow firstboot_t firstboot_rw_t:dir create_dir_perms;
+allow firstboot_t firstboot_rw_t:file create_file_perms;
+files_create_etc_config(firstboot_t,firstboot_rw_t,file)
+
+# The big hammer
+unconfined_domain_template(firstboot_t) 
+
+kernel_read_system_state(firstboot_t)
+kernel_read_kernel_sysctl(firstboot_t)
+
+corenet_tcp_sendrecv_all_if(firstboot_t)
+corenet_raw_sendrecv_all_if(firstboot_t)
+corenet_tcp_sendrecv_all_nodes(firstboot_t)
+corenet_raw_sendrecv_all_nodes(firstboot_t)
+corenet_tcp_sendrecv_all_ports(firstboot_t)
+corenet_tcp_bind_all_nodes(firstboot_t)
+
+dev_read_urand(firstboot_t)
+
+selinux_get_fs_mount(firstboot_t)
+selinux_validate_context(firstboot_t)
+selinux_compute_access_vector(firstboot_t)
+selinux_compute_create_context(firstboot_t)
+selinux_compute_relabel_context(firstboot_t)
+selinux_compute_user_contexts(firstboot_t)
+
+auth_dontaudit_getattr_shadow(firstboot_t)
+
+corecmd_exec_bin(firstboot_t)
+corecmd_exec_sbin(firstboot_t)
+
+domain_exec_all_entry_files(firstboot_t)
+
+files_exec_etc_files(firstboot_t)
+files_manage_etc_files(firstboot_t)
+files_read_etc_runtime_files(firstboot_t)
+files_read_usr_files(firstboot_t)
+files_manage_var_dirs(firstboot_t)
+files_manage_var_files(firstboot_t)
+files_manage_var_symlinks(firstboot_t)
+
+init_read_script(firstboot_t)
+init_rw_script_pid(firstboot_t)
+
+libs_use_ld_so(firstboot_t)
+libs_use_shared_libs(firstboot_t)
+libs_exec_ld_so(firstboot_t)
+libs_exec_lib_files(firstboot_t)
+
+locallogin_use_fd(firstboot_t)
+
+logging_send_syslog_msg(firstboot_t)
+
+miscfiles_read_localization(firstboot_t)
+
+modutils_domtrans_insmod(firstboot_t)
+modutils_read_module_conf(firstboot_t)
+modutils_read_mods_deps(firstboot_t)
+
+sysnet_manage_config(firstboot_t)
+
+# Add/remove user home directories
+userdom_create_user_home_dir(firstboot_t)
+userdom_manage_user_home_dir(firstboot_t)
+userdom_create_user_home(firstboot_t,{ dir file lnk_file fifo_file sock_file })
+userdom_manage_user_home_dirs(firstboot_t)
+userdom_manage_user_home_files(firstboot_t)
+userdom_manage_user_home_symlinks(firstboot_t)
+userdom_manage_user_home_pipes(firstboot_t)
+userdom_manage_user_home_sockets(firstboot_t)
+usermanage_domtrans_useradd(firstboot_t)
+usermanage_domtrans_groupadd(firstboot_t)
+
+optional_policy(`kerberos.te',`
+	kerberos_rw_config(firstboot_t)
+')
+
+optional_policy(`nis.te',`
+	nis_use_ypbind(firstboot_t)
+')
+
+ifdef(`TODO',`
+allow firstboot_t proc_t:file write;
+
+ifdef(`printconf.te', `
+	can_exec(firstboot_t, printconf_t)
+')
+
+ifdef(`samba.te', `
+	rw_dir_file(firstboot_t, samba_etc_t)
+')
+
+ifdef(`userhelper.te', `
+	role system_r types sysadm_userhelper_t;
+	domain_auto_trans(firstboot_t, userhelper_exec_t, sysadm_userhelper_t)
+')
+
+ifdef(`xserver.te', `
+	domain_auto_trans(firstboot_t, xserver_exec_t, xdm_xserver_t)
+')
+') dnl end TODO
diff --git a/refpolicy/policy/modules/services/kerberos.if b/refpolicy/policy/modules/services/kerberos.if
index a2a76fe..499c7b1 100644
--- a/refpolicy/policy/modules/services/kerberos.if
+++ b/refpolicy/policy/modules/services/kerberos.if
@@ -68,7 +68,7 @@ interface(`kerberos_use',`
 ##	Domain allowed access.
 ## </param>
 #
-interface(`kerberos_read_conf',`
+interface(`kerberos_read_config',`
 	gen_require(`
 		type krb5_conf_t;
 		class files r_file_perms;
@@ -77,3 +77,21 @@ interface(`kerberos_read_conf',`
 	files_search_etc($1)
 	allow $1 krb5_conf_t:file r_file_perms;
 ')
+
+########################################
+## <summary>
+##	Read and write the kerberos configuration file (/etc/krb5.conf).
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`kerberos_rw_config',`
+	gen_require(`
+		type krb5_conf_t;
+		class files rw_file_perms;
+	')
+
+	files_search_etc($1)
+	allow $1 krb5_conf_t:file rw_file_perms;
+')
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index 6acc26c..980b8e3 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -546,12 +546,6 @@ interface(`files_create_root',`
 	gen_require(`
 		type root_t;
 		class dir create_dir_perms;
-		class file create_file_perms;
-		class lnk_file create_lnk_perms;
-		class fifo_file create_file_perms;
-		class sock_file create_file_perms;
-		class blk_file create_file_perms;
-		class chr_file create_file_perms;
 	')
 
 	allow $1 root_t:dir rw_dir_perms;
@@ -1694,6 +1688,24 @@ interface(`files_dontaudit_search_var',`
 
 ########################################
 ## <summary>
+##	Create, read, write, and delete directories
+##	in the /var directory.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_manage_var_dirs',`
+	gen_require(`
+		type var_t;
+		class dir create_dir_perms;
+	')
+
+	allow $1 var_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
 ##	Read files in the /var directory.
 ## </summary>
 ## <param name="domain">
@@ -1713,6 +1725,25 @@ interface(`files_read_var_files',`
 
 ########################################
 ## <summary>
+##	Create, read, write, and delete files in the /var directory.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_manage_var_files',`
+	gen_require(`
+		type var_t;
+		class dir rw_dir_perms;
+		class file create_file_perms;
+	')
+
+	allow $1 var_t:dir rw_dir_perms;
+	allow $1 var_t:file create_file_perms;
+')
+
+########################################
+## <summary>
 ##	Read symbolic links in the /var directory.
 ## </summary>
 ## <param name="domain">
@@ -1732,6 +1763,26 @@ interface(`files_read_var_symlink',`
 
 ########################################
 ## <summary>
+##	Create, read, write, and delete symbolic
+##	links in the /var directory.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_manage_var_symlinks',`
+	gen_require(`
+		type var_t;
+		class dir rw_dir_perms;
+		class lnk_file create_lnk_perms;
+	')
+
+	allow $1 var_t:dir rw_dir_perms;
+	allow $1 var_t:lnk_file create_lnk_perms;
+')
+
+########################################
+## <summary>
 ##	Get the attributes of the /var/lib directory.
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te
index a96f5fa..73db9df 100644
--- a/refpolicy/policy/modules/system/hostname.te
+++ b/refpolicy/policy/modules/system/hostname.te
@@ -78,6 +78,10 @@ tunable_policy(`use_dns',`
 	sysnet_read_config(hostname_t)
 ')
 
+optional_policy(`firstboot.te',`
+	firstboot_use_fd(hostname_t)
+')
+
 optional_policy(`hotplug.te',`
 	hotplug_dontaudit_use_fd(hostname_t)
 ')
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index d93fdc3..9543b93 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -301,6 +301,13 @@ interface(`init_domtrans_script',`
 ## <summary>
 ##	Start and stop daemon programs directly.
 ## </summary>
+## <desc>
+##	<p>
+##	Start and stop daemon programs directly
+##	in the traditional "/etc/init.d/daemon start"
+##	style, and do not require run_init.
+##	</p>
+## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
@@ -324,6 +331,24 @@ interface(`init_run_daemon',`
 ')
 
 ########################################
+## <summary>
+##	Read init scripts.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`init_read_script',`
+	gen_require(`
+		type initrc_exec_t;
+		class file { getattr read };
+	')
+
+	files_list_etc($1)
+	allow $1 initrc_exec_t:file { getattr read };
+')
+
+########################################
 #
 # init_exec_script(domain)
 #
@@ -440,8 +465,21 @@ interface(`init_udp_sendto_script',`
 ')
 
 ########################################
-#
-# init_use_script_pty(domain)
+## <summary>
+##	Read and write the init script pty.
+## </summary>
+## <desc>
+##	<p>
+##	Read and write the init script pty.  This
+##	pty is generally opened by the open_init_pty
+##	portion of the run_init program so that the
+##	daemon does not require direct access to
+##	the administrator terminal.
+##	</p>
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`init_use_script_pty',`
 	gen_require(`
@@ -454,6 +492,24 @@ interface(`init_use_script_pty',`
 ')
 
 ########################################
+## <summary>
+##	Read init scripts.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`init_read_script_file',`
+	gen_require(`
+		type initrc_exec_t;
+		class file r_file_perms;
+	')
+
+	files_search_etc($1)
+	allow $1 initrc_exec_t:file r_file_perms;
+')
+
+########################################
 #
 # init_dontaudit_use_script_pty(domain)
 #
diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te
index 8b0620e..509ba51 100644
--- a/refpolicy/policy/modules/system/iptables.te
+++ b/refpolicy/policy/modules/system/iptables.te
@@ -92,6 +92,11 @@ tunable_policy(`use_dns',`
 	sysnet_read_config(iptables_t)
 ')
 
+optional_policy(`firstboot.te',`
+	firstboot_use_fd(iptables_t)
+	firstboot_write_pipe(iptables_t)
+')
+
 optional_policy(`modutils.te', `
 	corecmd_search_sbin(iptables_t)
 	modutils_domtrans_insmod(iptables_t)
@@ -118,8 +123,4 @@ rhgb_domain(iptables_t)
 optional_policy(`gnome-pty-helper.te',`
 	allow iptables_t sysadm_gph_t:fd use;
 ')
-
-optional_policy(`firstboot.te', `
-	allow iptables_t firstboot_t:fifo_file write;
-')
 ') dnl ifdef TODO
diff --git a/refpolicy/policy/modules/system/pcmcia.te b/refpolicy/policy/modules/system/pcmcia.te
index 28ac24a..133694a 100644
--- a/refpolicy/policy/modules/system/pcmcia.te
+++ b/refpolicy/policy/modules/system/pcmcia.te
@@ -104,6 +104,7 @@ miscfiles_read_localization(cardmgr_t)
 
 sysnet_domtrans_ifconfig(cardmgr_t)
 # for /etc/resolv.conf
+sysnet_create_config(cardmgr_t)
 sysnet_manage_config(cardmgr_t)
 
 userdom_dontaudit_use_unpriv_user_fd(cardmgr_t)
diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if
index fc7109b..7373da2 100644
--- a/refpolicy/policy/modules/system/sysnetwork.if
+++ b/refpolicy/policy/modules/system/sysnetwork.if
@@ -165,6 +165,24 @@ interface(`sysnet_read_config',`
 
 #######################################
 ## <summary>
+##	Create files in /etc with the type used for
+##	the network config files.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`sysnet_create_config',`
+	gen_require(`
+		type net_conf_t;
+		class file create_file_perms;
+	')
+
+	files_create_etc_config($1,net_conf_t,file)
+')
+
+#######################################
+## <summary>
 ##	Create, read, write, and delete network config files.
 ## </summary>
 ## <param name="domain">
@@ -177,8 +195,7 @@ interface(`sysnet_manage_config',`
 		class file create_file_perms;
 	')
 
-	allow $1 net_conf_t:file r_file_perms;
-	files_create_etc_config($1,net_conf_t,file)
+	allow $1 net_conf_t:file create_file_perms;
 ')
 
 #######################################
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index d3809ef..a7342bd 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -1250,105 +1250,232 @@ interface(`userdom_read_all_user_files',`
 
 ########################################
 ## <summary>
-##	Write all unprivileged users files in /tmp
+##	Send general signals to unprivileged user domains.
 ## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 #
-interface(`userdom_write_unpriv_user_tmp',`
+interface(`userdom_signal_unpriv_users',`
 	gen_require(`
-		attribute user_tmpfile;
-		class file { getattr write append };
+		attribute unpriv_userdomain;
+		class process signal;
 	')
 
-	allow $1 user_tmpfile:file { getattr write append };
+	allow $1 unpriv_userdomain:process signal;
 ')
 
 ########################################
 ## <summary>
-##	Inherit the file descriptors from all user domains
+##	Inherit the file descriptors from unprivileged user domains.
 ## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 #
-interface(`userdom_use_all_user_fd',`
+interface(`userdom_use_unpriv_users_fd',`
 	gen_require(`
-		attribute userdomain;
+		attribute unpriv_userdomain;
 		class fd use;
 	')
 
-	allow $1 userdomain:fd use;
+	allow $1 unpriv_userdomain:fd use;
 ')
 
 ########################################
 ## <summary>
-##	Send general signals to all user domains.
+##	Do not audit attempts to inherit the
+##	file descriptors from all user domains.
 ## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 #
-interface(`userdom_signal_all_users',`
+interface(`userdom_dontaudit_use_unpriv_user_fd',`
 	gen_require(`
-		attribute userdomain;
-		class process signal;
+		attribute unpriv_userdomain;
+		class fd use;
 	')
 
-	allow $1 userdomain:process signal;
+	dontaudit $1 unpriv_userdomain:fd use;
 ')
 
 ########################################
 ## <summary>
-##	Send general signals to unprivileged user domains.
+##	Create generic user home directories
+##	with automatic file type transition.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
-interface(`userdom_signal_unpriv_users',`
+interface(`userdom_create_user_home_dir',`
 	gen_require(`
-		attribute unpriv_userdomain;
-		class process signal;
+		type user_home_dir_t;
 	')
 
-	allow $1 unpriv_userdomain:process signal;
+	files_create_home_dirs($1,user_home_dir_t)
 ')
 
 ########################################
 ## <summary>
-##	Inherit the file descriptors from unprivileged user domains.
+##	Create, read, write, and delete
+##	generic user home directories.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
-interface(`userdom_use_unpriv_users_fd',`
+interface(`userdom_manage_user_home_dir',`
 	gen_require(`
-		attribute unpriv_userdomain;
-		class fd use;
+		type user_home_dir_t;
+		class dir create_dir_perms;
 	')
 
-	allow $1 unpriv_userdomain:fd use;
+	allow $1 user_home_dir_t:dir create_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to inherit the
-##	file descriptors from all user domains.
+##	Create objects in generic user home directories
+##	with automatic file type transition.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+## <param name="object_class" optional="true">
+##	The class of the object to be created.
+##	If not specified, file is used.
+## </param>
+#
+interface(`userdom_create_user_home',`
+	gen_require(`
+		type user_home_dir_t, user_home_t;
+		class dir rw_dir_perms;
+	')
+
+	allow $1 etc_t:dir rw_dir_perms;
+	ifelse(`$2',`',`
+		type_transition $1 user_home_dir_t:file user_home_t;
+	',`
+		type_transition $1 user_home_dir_t:$2 user_home_t;
+	')
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	subdirectories of generic user
+##	home directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`userdom_manage_user_home_dirs',`
+	gen_require(`
+		type user_home_t;
+		class dir create_dir_perms;
+	')
+
+	allow $1 user_home_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete files
+##	in generic user home directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`userdom_manage_user_home_files',`
+	gen_require(`
+		type user_home_t;
+		class dir rw_dir_perms;
+		class file create_file_perms;
+	')
+
+	allow $1 user_home_t:dir rw_dir_perms;
+	allow $1 user_home_t:file create_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete symbolic
+##	links in generic user home directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`userdom_manage_user_home_symlinks',`
+	gen_require(`
+		type user_home_t;
+		class dir rw_dir_perms;
+		class lnk_file create_lnk_perms;
+	')
+
+	allow $1 user_home_t:dir rw_dir_perms;
+	allow $1 user_home_t:lnk_file create_lnk_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete named
+##	pipes in generic user home directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`userdom_manage_user_home_pipes',`
+	gen_require(`
+		type user_home_t;
+		class dir rw_dir_perms;
+		class fifo_file create_file_perms;
+	')
+
+	allow $1 user_home_t:dir rw_dir_perms;
+	allow $1 user_home_t:fifo_file create_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete named
+##	sockets in generic user home directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`userdom_manage_user_home_sockets',`
+	gen_require(`
+		type user_home_t;
+		class dir rw_dir_perms;
+		class sock_file create_file_perms;
+	')
+
+	allow $1 user_home_t:dir rw_dir_perms;
+	allow $1 user_home_t:sock_file create_file_perms;
+')
+
+########################################
+## <summary>
+##	Write all unprivileged users files in /tmp
 ## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 #
-interface(`userdom_dontaudit_use_unpriv_user_fd',`
+interface(`userdom_write_unpriv_user_tmp',`
 	gen_require(`
-		attribute unpriv_userdomain;
-		class fd use;
+		attribute user_tmpfile;
+		class file { getattr write append };
 	')
 
-	dontaudit $1 unpriv_userdomain:fd use;
+	allow $1 user_tmpfile:file { getattr write append };
 ')
 
 ########################################
@@ -1371,6 +1498,40 @@ interface(`userdom_dontaudit_use_unpriv_user_tty',`
 
 ########################################
 ## <summary>
+##	Inherit the file descriptors from all user domains
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`userdom_use_all_user_fd',`
+	gen_require(`
+		attribute userdomain;
+		class fd use;
+	')
+
+	allow $1 userdomain:fd use;
+')
+
+########################################
+## <summary>
+##	Send general signals to all user domains.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`userdom_signal_all_users',`
+	gen_require(`
+		attribute userdomain;
+		class process signal;
+	')
+
+	allow $1 userdomain:process signal;
+')
+
+########################################
+## <summary>
 ##	Unconfined access to user domains.
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index b32e891..2ad973e 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -117,6 +117,10 @@ ifdef(`targeted_policy',`
 		clock_run(sysadm_t,sysadm_r,admin_terminal)
 	')
 
+	optional_policy(`firstboot.te',`
+		firstboot_run(sysadm_t,sysadm_r,sysadm_tty_device_t)
+	')
+
 	optional_policy(`fstools.te',`
 		fstools_run(sysadm_t,sysadm_r,admin_terminal)
 	')

More information about the scm-commits mailing list