From: jason@perfinion.com (Jason Zaman) Date: Sun, 5 Feb 2017 18:13:29 +0800 Subject: [refpolicy] [PATCH v2] bootloader: grub needs to manage grub.cfg and read kernels Message-ID: <20170205101329.17344-1-jason@perfinion.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com commit b0c13980d224c49207315154905eb7fcb90f289d broke grub-mkconfig which needs to be able to update the grub.cfg file. Remove the fcontext for grub.cfg so it can update the file. Also, grub needs to be able to read the kernels and symlinks to them so it can add them to the config. $ grub-mkconfig -o /boot/grub/grub.cfg Generating grub configuration file ... mv: cannot move '/boot/grub/grub.cfg.new' to '/boot/grub/grub.cfg': Permission denied type=AVC msg=audit(1486273313.557:26703): avc: denied { unlink } for pid=10757 comm="mv" name="grub.cfg" dev="md1" ino=10070 scontext=staff_u:sysadm_r:bootloader_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bootloader_etc_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1486273313.557:26703): arch=c000003e syscall=82 success=no exit=-13 a0=3a93725fbef a1=3a93725fc07 a2=0 a3=2 items=4 ppid=9489 pid=10757 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=4 comm="mv" exe="/bin/mv" subj=staff_u:sysadm_r:bootloader_t:s0-s0:c0.c1023 key=(null) type=CWD msg=audit(1486273313.557:26703): cwd="/root" type=PATH msg=audit(1486273313.557:26703): item=0 name="/boot/grub/" inode=10041 dev=09:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bootloader_run_t:s0 nametype=PARENT type=PATH msg=audit(1486273313.557:26703): item=1 name="/boot/grub/" inode=10041 dev=09:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bootloader_run_t:s0 nametype=PARENT type=PATH msg=audit(1486273313.557:26703): item=2 name="/boot/grub/grub.cfg.new" inode=10072 dev=09:01 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:bootloader_run_t:s0 nametype=DELETE type=PATH msg=audit(1486273313.557:26703): item=3 name="/boot/grub/grub.cfg" inode=10070 dev=09:01 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bootloader_etc_t:s0 nametype=DELETE --- policy/modules/admin/bootloader.fc | 3 --- policy/modules/admin/bootloader.te | 2 ++ 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc index c43c428..d62e8e3 100644 --- a/policy/modules/admin/bootloader.fc +++ b/policy/modules/admin/bootloader.fc @@ -1,9 +1,6 @@ /boot/grub.* -d gen_context(system_u:object_r:bootloader_run_t,s0) /boot/grub.*/.* gen_context(system_u:object_r:bootloader_run_t,s0) -/boot/grub.*/grub.cfg -- gen_context(system_u:object_r:bootloader_etc_t,s0) -/boot/grub.*/grub.conf -- gen_context(system_u:object_r:bootloader_etc_t,s0) - /etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0) /etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0) /etc/grub.d(/.*)? -- gen_context(system_u:object_r:bootloader_etc_t,s0) diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index 962cfd0..e5669b5 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -108,6 +108,8 @@ corecmd_exec_all_executables(bootloader_t) domain_use_interactive_fds(bootloader_t) files_create_boot_dirs(bootloader_t) +files_read_boot_files(bootloader_t) +files_read_boot_symlinks(bootloader_t) files_read_etc_files(bootloader_t) files_read_usr_src_files(bootloader_t) files_read_usr_files(bootloader_t) -- 2.10.2