policy_module(anaconda, 1.6.1)

gen_require(`
	class passwd all_passwd_perms;
')

gen_require(`
	class passwd { passwd chfn chsh rootok crontab };
')

########################################
#
# Declarations
#

type anaconda_t;
type anaconda_exec_t;
domain_type(anaconda_t)
domain_entry_file(anaconda_t, anaconda_exec_t)
domain_obj_id_change_exemption(anaconda_t)
role system_r types anaconda_t;

########################################
#
# Local policy
#

allow anaconda_t self:process execmem;
allow anaconda_t self:passwd { rootok passwd chfn chsh };

kernel_domtrans_to(anaconda_t, anaconda_exec_t)

init_domtrans_script(anaconda_t)

logging_send_syslog_msg(anaconda_t)

modutils_domtrans_insmod(anaconda_t)
modutils_domtrans_depmod(anaconda_t)

seutil_domtrans_semanage(anaconda_t)
seutil_domtrans_setsebool(anaconda_t)

userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file })

optional_policy(`
	rpm_domtrans(anaconda_t)
	rpm_domtrans_script(anaconda_t)
')

optional_policy(`
	ssh_domtrans_keygen(anaconda_t)
')

optional_policy(`
	udev_domtrans(anaconda_t)
')

optional_policy(`
	unconfined_domain_noaudit(anaconda_t)
')