From: guido@trentalancia.net (Guido Trentalancia) Date: Sat, 11 Feb 2017 21:18:05 +0100 Subject: [refpolicy] [PATCH] bootloader: add permissions to read boot files in order to generate a configuration file In-Reply-To: References: <1482452559.20547.19.camel@trentalancia.net> <20170205054446.GB5742@meriadoc.perfinion.com> <85ccfdef-680e-fc31-6640-18567b4609b9@ieee.org> <1486510352.7595.1.camel@trentalancia.net> <20170208021335.GA2470@meriadoc.perfinion.com> Message-ID: <1486844285.9069.4.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello. On Sat, 11/02/2017 at 14.51 -0500, Chris PeBenito wrote: > On 02/07/17 21:13, Jason Zaman via refpolicy wrote: > > > > On Wed, Feb 08, 2017 at 12:32:32AM +0100, Guido Trentalancia via > > refpolicy wrote: > > > > > > Allow the bootloader to read boot files in order to generate > > > a configuration file. > > > > > > Signed-off-by: Guido Trentalancia > > > > NACK. this wont work. Just use the patch I posted > > http://oss.tresys.com/pipermail/refpolicy/2017-February/009011.html > > [PATCH v2] bootloader: grub needs to manage grub.cfg and read > > kernels > > I've decided to revert this patch.??A nonfunctional system app like > this? > is not acceptable.??I am still open to a change along these lines,? > though arguably because bootloader has raw disk access, it doesn't? > matter much if it can overwrite the kernel via normal file access. The core grub functionality has never stopped working. The only thing that was not fully functional is an auxiliary application shipped with grub (grub-mkconfig) that can be optionally used to create the grub configuration file. It basically scans the /boot directory for kernel images and creates an entry for each kernel image it found. With the additional very simple patch that has been posted, the above mentioned optional functionality works again. > > > --- > > > ?policy/modules/admin/bootloader.te |????1 + > > > ?1 file changed, 1 insertion(+) > > > > > > diff -pru refpolicy-git-08022017- > > > orig/policy/modules/admin/bootloader.te refpolicy-git- > > > 08022017/policy/modules/admin/bootloader.te > > > --- refpolicy-git-08022017- > > > orig/policy/modules/admin/bootloader.te 2016-12-29 > > > 22:48:16.446818415 +0100 > > > +++ refpolicy-git-08022017/policy/modules/admin/bootloader.te > > > 2017-02-08 00:14:22.923674773 +0100 > > > @@ -108,6 +108,7 @@ corecmd_exec_all_executables(bootloader_ > > > ?domain_use_interactive_fds(bootloader_t) > > > > > > ?files_create_boot_dirs(bootloader_t) > > > +files_read_boot_files(bootloader_t) > > > ?files_read_etc_files(bootloader_t) > > > ?files_read_usr_src_files(bootloader_t) > > > ?files_read_usr_files(bootloader_t) > > >? Regards, Guido