From: russell@coker.com.au (Russell Coker)
Date: Mon, 17 Apr 2017 21:54:53 +1000
Subject: [refpolicy] [PATCH] bootloader
Message-ID: <20170417115453.cioe2lcm3zluqbyy@athena.coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

This patch adds a lot of policy that is needed to setup an initramfs and grub
on Debian nowadays.

Also changed a comment about ia64 to correctly mention EFI.

--- refpolicy-2.20170417.orig/policy/modules/admin/bootloader.te
+++ refpolicy-2.20170417/policy/modules/admin/bootloader.te
@@ -41,7 +41,7 @@ dev_node(bootloader_tmp_t)
 # bootloader local policy
 #
 
-allow bootloader_t self:capability { chown dac_override dac_read_search fsetid mknod sys_admin sys_rawio };
+allow bootloader_t self:capability { chown dac_override dac_read_search fsetid mknod setgid sys_admin sys_rawio };
 allow bootloader_t self:process { signal_perms execmem };
 allow bootloader_t self:fifo_file rw_fifo_file_perms;
 
@@ -56,6 +56,7 @@ manage_lnk_files_pattern(bootloader_t, b
 manage_blk_files_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t)
 manage_chr_files_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t)
 files_tmp_filetrans(bootloader_t, bootloader_tmp_t, { dir file lnk_file chr_file blk_file })
+allow bootloader_t bootloader_tmp_t:dir mounton;
 # for tune2fs (cjp: ?)
 files_root_filetrans(bootloader_t, bootloader_tmp_t, file)
 
@@ -65,10 +66,17 @@ kernel_read_system_state(bootloader_t)
 kernel_read_software_raid_state(bootloader_t)
 kernel_read_kernel_sysctls(bootloader_t)
 
+# for grub-probe
+kernel_request_load_module(bootloader_t)
+
+kernel_search_debugfs(bootloader_t)
+kernel_setsched(bootloader_t)
+
 storage_raw_read_fixed_disk(bootloader_t)
 storage_raw_write_fixed_disk(bootloader_t)
 storage_raw_read_removable_device(bootloader_t)
 storage_raw_write_removable_device(bootloader_t)
+storage_rw_fuse(bootloader_t)
 
 dev_getattr_all_chr_files(bootloader_t)
 dev_getattr_all_blk_files(bootloader_t)
@@ -82,7 +90,7 @@ dev_rw_nvram(bootloader_t)
 fs_getattr_xattr_fs(bootloader_t)
 fs_getattr_tmpfs(bootloader_t)
 fs_read_tmpfs_symlinks(bootloader_t)
-#Needed for ia64
+#Needed for EFI
 fs_manage_dos_files(bootloader_t)
 
 mls_file_read_all_levels(bootloader_t)
@@ -104,6 +112,7 @@ files_read_usr_src_files(bootloader_t)
 files_read_usr_files(bootloader_t)
 files_read_var_files(bootloader_t)
 files_read_kernel_modules(bootloader_t)
+files_search_mnt(bootloader_t)
 # for nscd
 files_dontaudit_search_pids(bootloader_t)
 # for blkid.tab
@@ -111,6 +120,16 @@ files_manage_etc_runtime_files(bootloade
 files_etc_filetrans_etc_runtime(bootloader_t, file)
 files_dontaudit_search_home(bootloader_t)
 
+fs_mount_fusefs(bootloader_t)
+fs_mount_xattr_fs(bootloader_t)
+fs_mounton_fusefs(bootloader_t)
+fs_read_fusefs_symlinks(bootloader_t)
+fs_read_fusefs_files(bootloader_t)
+fs_stat_fusefs(bootloader_t)
+fs_unmount_fusefs(bootloader_t)
+fs_unmount_xattr_fs(bootloader_t)
+fstools_manage_run_files(bootloader_t)
+
 init_getattr_initctl(bootloader_t)
 init_use_script_ptys(bootloader_t)
 init_use_script_fds(bootloader_t)
@@ -123,11 +142,14 @@ logging_send_syslog_msg(bootloader_t)
 logging_rw_generic_logs(bootloader_t)
 
 miscfiles_read_localization(bootloader_t)
+mount_runtime_rw(bootloader_t)
 
 seutil_read_bin_policy(bootloader_t)
 seutil_read_loadpolicy(bootloader_t)
 seutil_dontaudit_search_config(bootloader_t)
 
+udev_read_pid_files(bootloader_t)
+
 userdom_use_user_terminals(bootloader_t)
 userdom_dontaudit_search_user_home_dirs(bootloader_t)
 
@@ -153,6 +175,7 @@ ifdef(`distro_debian',`
 	apt_read_cache(bootloader_t)
 
 	dpkg_read_db(bootloader_t)
+	dpkg_rw_pipes(bootloader_t)
 ')
 
 ifdef(`distro_redhat',`
--- refpolicy-2.20170417.orig/policy/modules/kernel/filesystem.if
+++ refpolicy-2.20170417/policy/modules/kernel/filesystem.if
@@ -1954,6 +1954,24 @@ interface(`fs_read_eventpollfs',`
 
 ########################################
 ## <summary>
+##	stat a FUSE filesystem
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_stat_fusefs',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	allow $1 fusefs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
 ##	Mount a FUSE filesystem.
 ## </summary>
 ## <param name="domain">
--- refpolicy-2.20170417.orig/policy/modules/system/fstools.if
+++ refpolicy-2.20170417/policy/modules/system/fstools.if
@@ -172,3 +172,22 @@ interface(`fstools_getattr_swap_files',`
 
 	allow $1 swapfile_t:file getattr;
 ')
+
+########################################
+## <summary>
+##	manage fsadm_run_t files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fstools_manage_run_files',`
+	gen_require(`
+		type fsadm_run_t;
+	')
+
+	allow $1 fsadm_run_t:dir rw_dir_perms;
+	allow $1 fsadm_run_t:file manage_file_perms;
+')
--- refpolicy-2.20170417.orig/policy/modules/system/mount.if
+++ refpolicy-2.20170417/policy/modules/system/mount.if
@@ -209,3 +209,40 @@ interface(`mount_rw_loopback_files',`
 
 	allow $1 mount_loopback_t:file rw_file_perms;
 ')
+
+########################################
+## <summary>
+##	Getattr on mount_runtime_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`stat_mount_var_run',`
+	gen_require(`
+		type mount_runtime_t;
+	')
+
+	allow $1 mount_runtime_t:file getattr;
+')
+
+########################################
+## <summary>
+##	rw mount_runtime_t files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mount_runtime_rw',`
+	gen_require(`
+		type mount_runtime_t;
+	')
+
+	allow $1 mount_runtime_t:dir search;
+	allow $1 mount_runtime_t:file rw_file_perms;
+')