From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 26 Aug 2013 08:39:10 -0400
Subject: [refpolicy] [PATCH 1/7] Get grub2-install to work properly
In-Reply-To: <1376765506-28924-2-git-send-email-sven.vermeulen@siphos.be>
References: <1376765506-28924-1-git-send-email-sven.vermeulen@siphos.be>
	<1376765506-28924-2-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <521B4C6E.5060606@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 08/17/2013 02:51 PM, Sven Vermeulen wrote:
> The grub2-install application runs a few grub2-* commands. Two of those,
> grub2-bios-setup and grub2-probe, need read/write access to the (fixed) disks.
> 
> Mark those two applications as bootloader_exec_t (as is the case with the "grub"
> legacy command in the past) allows the commands to continue.

Merged.

> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/admin/bootloader.fc | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
> index 7a6f06f..2626ebf 100644
> --- a/policy/modules/admin/bootloader.fc
> +++ b/policy/modules/admin/bootloader.fc
> @@ -7,3 +7,5 @@
>  /sbin/ybin.*		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
>  
>  /usr/sbin/grub		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
> +/usr/sbin/grub2-bios-setup	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
> +/usr/sbin/grub2-probe	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com