From: guido@trentalancia.net (Guido Trentalancia) Date: Sat, 11 Feb 2017 21:51:08 +0100 Subject: [refpolicy] [PATCH] bootloader: add permissions to read boot files in order to generate a configuration file In-Reply-To: <3b8053a9-bffd-f739-a39b-360f87ad36ea@gmail.com> References: <1482452559.20547.19.camel@trentalancia.net> <20170205054446.GB5742@meriadoc.perfinion.com> <85ccfdef-680e-fc31-6640-18567b4609b9@ieee.org> <1486510352.7595.1.camel@trentalancia.net> <20170208021335.GA2470@meriadoc.perfinion.com> <1486844285.9069.4.camel@trentalancia.net> <39d0f60d-6b65-a2e0-ae99-e0ad5588a986@gmail.com> <3b8053a9-bffd-f739-a39b-360f87ad36ea@gmail.com> Message-ID: <227D2688-CECE-461D-9172-EB78B75D5807@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com It's grub2-bios-setup that needs raw storage write access... On the 11th of February 2017 21:47:31 CET, Dominick Grift via refpolicy wrote: >On 02/11/2017 09:31 PM, Dominick Grift wrote: >> On 02/11/2017 09:23 PM, Dominick Grift wrote: >>> On 02/11/2017 09:18 PM, Guido Trentalancia via refpolicy wrote: >>>> Hello. >>>> >>>> On Sat, 11/02/2017 at 14.51 -0500, Chris PeBenito wrote: >>>>> On 02/07/17 21:13, Jason Zaman via refpolicy wrote: >>>>>> >>>>>> On Wed, Feb 08, 2017 at 12:32:32AM +0100, Guido Trentalancia via >>>>>> refpolicy wrote: >>>>>>> >>>>>>> Allow the bootloader to read boot files in order to generate >>>>>>> a configuration file. >>>>>>> >>>>>>> Signed-off-by: Guido Trentalancia >>>>>> >>>>>> NACK. this wont work. Just use the patch I posted >>>>>> >http://oss.tresys.com/pipermail/refpolicy/2017-February/009011.html >>>>>> [PATCH v2] bootloader: grub needs to manage grub.cfg and read >>>>>> kernels >>>>> >>>>> I've decided to revert this patch. A nonfunctional system app >like >>>>> this >>>>> is not acceptable. I am still open to a change along these lines, > >>>>> though arguably because bootloader has raw disk access, it doesn't > >>>>> matter much if it can overwrite the kernel via normal file access. >>>> >>>> The core grub functionality has never stopped working. >>>> >>>> The only thing that was not fully functional is an auxiliary >>>> application shipped with grub (grub-mkconfig) that can be >optionally >>>> used to create the grub configuration file. It basically scans the >>>> /boot directory for kernel images and creates an entry for each >kernel >>>> image it found. >>>> >>>> With the additional very simple patch that has been posted, the >above >>>> mentioned optional functionality works again. >>> >>> Except when ones uses efi i suppose. since /boot/efi is dosfs_t >> >> anyhow, if bootloader_t (i wonder why it needs that) has raw disk >access >> then i would suggest we create a separate domain for the grub2-.* >utils >> since i dont believe they need that > >I suppose it might be grub2?-install that needs raw disk access to >install to boot sector > >> >>> >>> >>>> >>>>>>> --- >>>>>>> policy/modules/admin/bootloader.te | 1 + >>>>>>> 1 file changed, 1 insertion(+) >>>>>>> >>>>>>> diff -pru refpolicy-git-08022017- >>>>>>> orig/policy/modules/admin/bootloader.te refpolicy-git- >>>>>>> 08022017/policy/modules/admin/bootloader.te >>>>>>> --- refpolicy-git-08022017- >>>>>>> orig/policy/modules/admin/bootloader.te 2016-12-29 >>>>>>> 22:48:16.446818415 +0100 >>>>>>> +++ refpolicy-git-08022017/policy/modules/admin/bootloader.te >>>>>>> 2017-02-08 00:14:22.923674773 +0100 >>>>>>> @@ -108,6 +108,7 @@ corecmd_exec_all_executables(bootloader_ >>>>>>> domain_use_interactive_fds(bootloader_t) >>>>>>> >>>>>>> files_create_boot_dirs(bootloader_t) >>>>>>> +files_read_boot_files(bootloader_t) >>>>>>> files_read_etc_files(bootloader_t) >>>>>>> files_read_usr_src_files(bootloader_t) >>>>>>> files_read_usr_files(bootloader_t) >>>>>>> >>>> >>>> Regards, >>>> >>>> Guido >>>> _______________________________________________ >>>> refpolicy mailing list >>>> refpolicy at oss.tresys.com >>>> http://oss.tresys.com/mailman/listinfo/refpolicy >>>> >>> >>> >> >>