From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Sat, 22 Nov 2014 19:54:34 +0100
Subject: [refpolicy] [PATCH 1/7] Run grub(2)-mkconfig in bootloader domain
In-Reply-To: <1416682480-13282-1-git-send-email-sven.vermeulen@siphos.be>
References: <1416682480-13282-1-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <1416682480-13282-2-git-send-email-sven.vermeulen@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

In order to write the grub configuration and perform the preliminary
checks, the grub-mkconfig command should run in the bootloader_t domain.
As such, update the file context definition to be bootloader_exec_t.
---
 policy/modules/admin/bootloader.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
index d56f931..d908d56 100644
--- a/policy/modules/admin/bootloader.fc
+++ b/policy/modules/admin/bootloader.fc
@@ -9,4 +9,5 @@
 /usr/sbin/grub		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 /usr/sbin/grub2?-bios-setup	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 /usr/sbin/grub2?-install	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/sbin/grub2?-mkconfig	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 /usr/sbin/grub2?-probe	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
-- 
2.0.4