From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 14 Jul 2009 08:43:35 -0400
Subject: [refpolicy] Debian puts grub in  /usr/sbin/grub
In-Reply-To: <87d48kjv66.fsf@anzu.internal.golden-gryphon.com>
References: <87d48kjv66.fsf@anzu.internal.golden-gryphon.com>
Message-ID: <1247575415.31521.36.camel@gorn.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed, 2009-07-01 at 10:10 -0500, Manoj Srivastava wrote:
>         This patch also labels mkinitrd files, though that is likely
>  obsolete now.

If you feel that the mkinitrd is probably obsolete, I'd prefer to keep
that out of upstream.  I'll add the grub file context w/o the
distro_debian.

> diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
> index b638362..d7d6d2f 100644
> --- a/policy/modules/admin/bootloader.fc
> +++ b/policy/modules/admin/bootloader.fc
> @@ -2,6 +2,14 @@
>  /etc/lilo\.conf.*      --      gen_context(system_u:object_r:bootloader_etc_t,s0)
>  /etc/yaboot\.conf.*    --      gen_context(system_u:object_r:bootloader_etc_t,s0)
>  
> +# Debian puts grub in /usr/sbin/grub
> +ifdef(`distro_debian',`
> +/usr/sbin/grub         --      gen_context(system_u:object_r:bootloader_exec_t,s0)
> +/etc/mkinitrd/scripts/.* --    gen_context(system_u:object_r:bootloader_exec_t,s0)
> +/usr/sbin/mkinitrd     --      gen_context(system_u:object_r:bootloader_exec_t,s0)
> +/sbin/mkinitrd         --      gen_context(system_u:object_r:bootloader_exec_t,s0)
> +',`
>  /sbin/grub             --      gen_context(system_u:object_r:bootloader_exec_t,s0)
> +')
>  /sbin/lilo.*           --      gen_context(system_u:object_r:bootloader_exec_t,s0)
>  /sbin/ybin.*           --      gen_context(system_u:object_r:bootloader_exec_t,s0)
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150