forked from fedora-selinux/selinux-policy-contrib
-
Notifications
You must be signed in to change notification settings - Fork 0
/
anaconda.te
129 lines (95 loc) · 2.44 KB
/
anaconda.te
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
policy_module(anaconda, 1.7.0)
gen_require(`
class passwd all_passwd_perms;
')
gen_require(`
class passwd { passwd chfn chsh rootok crontab };
')
########################################
#
# Declarations
#
type anaconda_t;
type anaconda_exec_t;
domain_type(anaconda_t)
domain_entry_file(anaconda_t, anaconda_exec_t)
domain_obj_id_change_exemption(anaconda_t)
role system_r types anaconda_t;
attribute_role install_roles;
roleattribute system_r install_roles;
type install_t;
type install_exec_t;
application_domain(install_t, install_exec_t)
role install_roles types install_t;
type preupgrade_t;
type preupgrade_exec_t;
application_domain(preupgrade_t, preupgrade_exec_t)
role system_r types preupgrade_t;
type preupgrade_data_t;
files_type(preupgrade_data_t)
########################################
#
# Local policy
#
allow anaconda_t self:process execmem;
allow anaconda_t self:passwd { rootok passwd chfn chsh };
kernel_domtrans_to(anaconda_t, anaconda_exec_t)
init_domtrans_script(anaconda_t)
logging_send_syslog_msg(anaconda_t)
modutils_domtrans_insmod(anaconda_t)
modutils_domtrans_depmod(anaconda_t)
seutil_domtrans_semanage(anaconda_t)
seutil_domtrans_setsebool(anaconda_t)
userdom_filetrans_home_content(anaconda_t)
optional_policy(`
rpm_domtrans(anaconda_t)
rpm_domtrans_script(anaconda_t)
')
optional_policy(`
ssh_domtrans_keygen(anaconda_t)
')
optional_policy(`
udev_domtrans(anaconda_t)
')
optional_policy(`
unconfined_domain_noaudit(anaconda_t)
')
########################################
#
# Local policy
#
allow install_t self:capability2 mac_admin;
systemd_dbus_chat_localed(install_t)
systemd_dbus_chat_logind(install_t)
init_dbus_chat(install_t)
tunable_policy(`deny_ptrace',`',`
domain_ptrace_all_domains(install_t)
')
optional_policy(`
iscsid_run(install_t, install_roles)
')
optional_policy(`
mount_run(install_t, install_roles)
')
optional_policy(`
networkmanager_dbus_chat(install_t)
')
optional_policy(`
policykit_dbus_chat(install_t)
')
optional_policy(`
seutil_run_setfiles_mac(install_t, install_roles)
')
optional_policy(`
unconfined_domain_noaudit(install_t)
')
########################################
#
# Local policy
#
manage_files_pattern(preupgrade_t, preupgrade_data_t, preupgrade_data_t)
manage_dirs_pattern(preupgrade_t, preupgrade_data_t, preupgrade_data_t)
manage_lnk_files_pattern(preupgrade_t, preupgrade_data_t, preupgrade_data_t)
optional_policy(`
unconfined_domain_noaudit(preupgrade_t)
')