Hi,
This patch also labels mkinitrd files, though that is likely
obsolete now.
manoj
diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
index b638362..d7d6d2f 100644
--- a/policy/modules/admin/bootloader.fc
+++ b/policy/modules/admin/bootloader.fc
@@ -2,6 +2,14 @@
/etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
/etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
+# Debian puts grub in /usr/sbin/grub
+ifdef(`distro_debian',`
+/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/etc/mkinitrd/scripts/.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/sbin/mkinitrd -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/sbin/mkinitrd -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+',`
/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+')
/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
--
QOTD: "There may be no excuse for laziness, but I'm sure looking."
Manoj Srivastava <[email protected]> <http://www.golden-gryphon.com/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
On Wed, 2009-07-01 at 10:10 -0500, Manoj Srivastava wrote:
> This patch also labels mkinitrd files, though that is likely
> obsolete now.
If you feel that the mkinitrd is probably obsolete, I'd prefer to keep
that out of upstream. I'll add the grub file context w/o the
distro_debian.
> diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
> index b638362..d7d6d2f 100644
> --- a/policy/modules/admin/bootloader.fc
> +++ b/policy/modules/admin/bootloader.fc
> @@ -2,6 +2,14 @@
> /etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
> /etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
>
> +# Debian puts grub in /usr/sbin/grub
> +ifdef(`distro_debian',`
> +/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
> +/etc/mkinitrd/scripts/.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
> +/usr/sbin/mkinitrd -- gen_context(system_u:object_r:bootloader_exec_t,s0)
> +/sbin/mkinitrd -- gen_context(system_u:object_r:bootloader_exec_t,s0)
> +',`
> /sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
> +')
> /sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
> /sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
>
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
On Tue, Jul 14 2009, Christopher J. PeBenito wrote:
> On Wed, 2009-07-01 at 10:10 -0500, Manoj Srivastava wrote:
>> This patch also labels mkinitrd files, though that is likely
>> obsolete now.
>
> If you feel that the mkinitrd is probably obsolete, I'd prefer to keep
> that out of upstream. I'll add the grub file context w/o the
> distro_debian.
Well, Linux kernels no longer have support for non-initramfs
initrds, and in order to use mkinitrd now you need an old, deprecated
version of glibc as well; I suspect there are few installations that
are running old kernel/glibc and will have the new reference
policy. I'll drip it from Debian policy as well.
manoj
--
There are two ways of disliking poetry; one way is to dislike it, the
other is to read Pope. -- Oscar Wilde
Manoj Srivastava <[email protected]> <http://www.golden-gryphon.com/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C