From: jason@perfinion.com (Jason Zaman)
Date: Mon, 27 Feb 2017 19:22:26 +0800
Subject: [refpolicy] [PATCH 1/2] bootloader: grub-mkconfig needs search
	perms on PWD (usually homedir)
Message-ID: <20170227112227.24958-1-jason@perfinion.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

$ grub2-mkconfig -o /boot/grub/grub.cfg
/usr/sbin/grub2-probe: error: cannot restore the original directory.

Most users/admins call grub2-mkconfig from their home directory, so grant it search rights on the home directory (but no more).

type=AVC msg=audit(1486280243.141:685): avc:  denied  { getattr } for  pid=24648 comm="30_os-prober" path="/root" dev="sda" ino=1179649 scontext=staff_u:sysadm_r:bootloader_t:s0-s0:c0.c1023 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1486280243.141:686): avc:  denied  { search } for  pid=24648 comm="30_os-prober" name="root" dev="sda" ino=1179649 scontext=staff_u:sysadm_r:bootloader_t:s0-s0:c0.c1023 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1486280243.165:687): avc:  denied  { getattr } for  pid=24652 comm="40_custom" path="/root" dev="sda" ino=1179649 scontext=staff_u:sysadm_r:bootloader_t:s0-s0:c0.c1023 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1486280243.165:688): avc:  denied  { search } for  pid=24652 comm="40_custom" name="root" dev="sda" ino=1179649 scontext=staff_u:sysadm_r:bootloader_t:s0-s0:c0.c1023 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1486280243.175:689): avc:  denied  { getattr } for  pid=24653 comm="41_custom" path="/root" dev="sda" ino=1179649 scontext=staff_u:sysadm_r:bootloader_t:s0-s0:c0.c1023 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1486280243.175:690): avc:  denied  { search } for  pid=24653 comm="41_custom" name="root" dev="sda" ino=1179649 scontext=staff_u:sysadm_r:bootloader_t:s0-s0:c0.c1023 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1486280243.188:691): avc:  denied  { search } for  pid=24578 comm="grub-mkconfig" name="root" dev="sda" ino=1179649 scontext=staff_u:sysadm_r:bootloader_t:s0-s0:c0.c1023 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir permissive=0

Gentoo-Bug: https://bugs.gentoo.org/537652
---
 policy/modules/admin/bootloader.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index 39b1d9e..42a8b6d 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -131,7 +131,7 @@ seutil_read_loadpolicy(bootloader_t)
 seutil_dontaudit_search_config(bootloader_t)
 
 userdom_use_user_terminals(bootloader_t)
-userdom_dontaudit_search_user_home_dirs(bootloader_t)
+userdom_search_user_home_dirs(bootloader_t)
 
 ifdef(`distro_debian',`
 	allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
-- 
2.10.2