From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Sat, 17 Aug 2013 20:51:40 +0200
Subject: [refpolicy] [PATCH 1/7] Get grub2-install to work properly
In-Reply-To: <1376765506-28924-1-git-send-email-sven.vermeulen@siphos.be>
References: <1376765506-28924-1-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <1376765506-28924-2-git-send-email-sven.vermeulen@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

The grub2-install application runs a few grub2-* commands. Two of those,
grub2-bios-setup and grub2-probe, need read/write access to the (fixed) disks.

Mark those two applications as bootloader_exec_t (as is the case with the "grub"
legacy command in the past) allows the commands to continue.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/admin/bootloader.fc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
index 7a6f06f..2626ebf 100644
--- a/policy/modules/admin/bootloader.fc
+++ b/policy/modules/admin/bootloader.fc
@@ -7,3 +7,5 @@
 /sbin/ybin.*		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 
 /usr/sbin/grub		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/sbin/grub2-bios-setup	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/sbin/grub2-probe	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
-- 
1.8.1.5