From: pebenito@ieee.org (Chris PeBenito) Date: Sat, 11 Feb 2017 14:51:54 -0500 Subject: [refpolicy] [PATCH] bootloader: add permissions to read boot files in order to generate a configuration file In-Reply-To: <20170208021335.GA2470@meriadoc.perfinion.com> References: <1482452559.20547.19.camel@trentalancia.net> <20170205054446.GB5742@meriadoc.perfinion.com> <85ccfdef-680e-fc31-6640-18567b4609b9@ieee.org> <1486510352.7595.1.camel@trentalancia.net> <20170208021335.GA2470@meriadoc.perfinion.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 02/07/17 21:13, Jason Zaman via refpolicy wrote: > On Wed, Feb 08, 2017 at 12:32:32AM +0100, Guido Trentalancia via refpolicy wrote: >> Allow the bootloader to read boot files in order to generate >> a configuration file. >> >> Signed-off-by: Guido Trentalancia > > NACK. this wont work. Just use the patch I posted > http://oss.tresys.com/pipermail/refpolicy/2017-February/009011.html > [PATCH v2] bootloader: grub needs to manage grub.cfg and read kernels I've decided to revert this patch. A nonfunctional system app like this is not acceptable. I am still open to a change along these lines, though arguably because bootloader has raw disk access, it doesn't matter much if it can overwrite the kernel via normal file access. >> --- >> policy/modules/admin/bootloader.te | 1 + >> 1 file changed, 1 insertion(+) >> >> diff -pru refpolicy-git-08022017-orig/policy/modules/admin/bootloader.te refpolicy-git-08022017/policy/modules/admin/bootloader.te >> --- refpolicy-git-08022017-orig/policy/modules/admin/bootloader.te 2016-12-29 22:48:16.446818415 +0100 >> +++ refpolicy-git-08022017/policy/modules/admin/bootloader.te 2017-02-08 00:14:22.923674773 +0100 >> @@ -108,6 +108,7 @@ corecmd_exec_all_executables(bootloader_ >> domain_use_interactive_fds(bootloader_t) >> >> files_create_boot_dirs(bootloader_t) >> +files_read_boot_files(bootloader_t) >> files_read_etc_files(bootloader_t) >> files_read_usr_src_files(bootloader_t) >> files_read_usr_files(bootloader_t) >> _______________________________________________ >> refpolicy mailing list >> refpolicy at oss.tresys.com >> http://oss.tresys.com/mailman/listinfo/refpolicy > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Chris PeBenito