From: pebenito@ieee.org (Chris PeBenito) Date: Tue, 18 Apr 2017 20:57:32 -0400 Subject: [refpolicy] [PATCH] bootloader In-Reply-To: <20170417115453.cioe2lcm3zluqbyy@athena.coker.com.au> References: <20170417115453.cioe2lcm3zluqbyy@athena.coker.com.au> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 04/17/2017 07:54 AM, Russell Coker via refpolicy wrote: > This patch adds a lot of policy that is needed to setup an initramfs and grub > on Debian nowadays. > > Also changed a comment about ia64 to correctly mention EFI. Merged with line moving and renaming. > --- refpolicy-2.20170417.orig/policy/modules/admin/bootloader.te > +++ refpolicy-2.20170417/policy/modules/admin/bootloader.te > @@ -41,7 +41,7 @@ dev_node(bootloader_tmp_t) > # bootloader local policy > # > > -allow bootloader_t self:capability { chown dac_override dac_read_search fsetid mknod sys_admin sys_rawio }; > +allow bootloader_t self:capability { chown dac_override dac_read_search fsetid mknod setgid sys_admin sys_rawio }; > allow bootloader_t self:process { signal_perms execmem }; > allow bootloader_t self:fifo_file rw_fifo_file_perms; > > @@ -56,6 +56,7 @@ manage_lnk_files_pattern(bootloader_t, b > manage_blk_files_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t) > manage_chr_files_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t) > files_tmp_filetrans(bootloader_t, bootloader_tmp_t, { dir file lnk_file chr_file blk_file }) > +allow bootloader_t bootloader_tmp_t:dir mounton; > # for tune2fs (cjp: ?) > files_root_filetrans(bootloader_t, bootloader_tmp_t, file) > > @@ -65,10 +66,17 @@ kernel_read_system_state(bootloader_t) > kernel_read_software_raid_state(bootloader_t) > kernel_read_kernel_sysctls(bootloader_t) > > +# for grub-probe > +kernel_request_load_module(bootloader_t) > + > +kernel_search_debugfs(bootloader_t) > +kernel_setsched(bootloader_t) > + > storage_raw_read_fixed_disk(bootloader_t) > storage_raw_write_fixed_disk(bootloader_t) > storage_raw_read_removable_device(bootloader_t) > storage_raw_write_removable_device(bootloader_t) > +storage_rw_fuse(bootloader_t) > > dev_getattr_all_chr_files(bootloader_t) > dev_getattr_all_blk_files(bootloader_t) > @@ -82,7 +90,7 @@ dev_rw_nvram(bootloader_t) > fs_getattr_xattr_fs(bootloader_t) > fs_getattr_tmpfs(bootloader_t) > fs_read_tmpfs_symlinks(bootloader_t) > -#Needed for ia64 > +#Needed for EFI > fs_manage_dos_files(bootloader_t) > > mls_file_read_all_levels(bootloader_t) > @@ -104,6 +112,7 @@ files_read_usr_src_files(bootloader_t) > files_read_usr_files(bootloader_t) > files_read_var_files(bootloader_t) > files_read_kernel_modules(bootloader_t) > +files_search_mnt(bootloader_t) > # for nscd > files_dontaudit_search_pids(bootloader_t) > # for blkid.tab > @@ -111,6 +120,16 @@ files_manage_etc_runtime_files(bootloade > files_etc_filetrans_etc_runtime(bootloader_t, file) > files_dontaudit_search_home(bootloader_t) > > +fs_mount_fusefs(bootloader_t) > +fs_mount_xattr_fs(bootloader_t) > +fs_mounton_fusefs(bootloader_t) > +fs_read_fusefs_symlinks(bootloader_t) > +fs_read_fusefs_files(bootloader_t) > +fs_stat_fusefs(bootloader_t) > +fs_unmount_fusefs(bootloader_t) > +fs_unmount_xattr_fs(bootloader_t) > +fstools_manage_run_files(bootloader_t) > + > init_getattr_initctl(bootloader_t) > init_use_script_ptys(bootloader_t) > init_use_script_fds(bootloader_t) > @@ -123,11 +142,14 @@ logging_send_syslog_msg(bootloader_t) > logging_rw_generic_logs(bootloader_t) > > miscfiles_read_localization(bootloader_t) > +mount_runtime_rw(bootloader_t) > > seutil_read_bin_policy(bootloader_t) > seutil_read_loadpolicy(bootloader_t) > seutil_dontaudit_search_config(bootloader_t) > > +udev_read_pid_files(bootloader_t) > + > userdom_use_user_terminals(bootloader_t) > userdom_dontaudit_search_user_home_dirs(bootloader_t) > > @@ -153,6 +175,7 @@ ifdef(`distro_debian',` > apt_read_cache(bootloader_t) > > dpkg_read_db(bootloader_t) > + dpkg_rw_pipes(bootloader_t) > ') > > ifdef(`distro_redhat',` > --- refpolicy-2.20170417.orig/policy/modules/kernel/filesystem.if > +++ refpolicy-2.20170417/policy/modules/kernel/filesystem.if > @@ -1954,6 +1954,24 @@ interface(`fs_read_eventpollfs',` > > ######################################## > ## > +## stat a FUSE filesystem > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`fs_stat_fusefs',` > + gen_require(` > + type fusefs_t; > + ') > + > + allow $1 fusefs_t:filesystem getattr; > +') > + > +######################################## > +## > ## Mount a FUSE filesystem. > ## > ## > --- refpolicy-2.20170417.orig/policy/modules/system/fstools.if > +++ refpolicy-2.20170417/policy/modules/system/fstools.if > @@ -172,3 +172,22 @@ interface(`fstools_getattr_swap_files',` > > allow $1 swapfile_t:file getattr; > ') > + > +######################################## > +## > +## manage fsadm_run_t files > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`fstools_manage_run_files',` > + gen_require(` > + type fsadm_run_t; > + ') > + > + allow $1 fsadm_run_t:dir rw_dir_perms; > + allow $1 fsadm_run_t:file manage_file_perms; > +') > --- refpolicy-2.20170417.orig/policy/modules/system/mount.if > +++ refpolicy-2.20170417/policy/modules/system/mount.if > @@ -209,3 +209,40 @@ interface(`mount_rw_loopback_files',` > > allow $1 mount_loopback_t:file rw_file_perms; > ') > + > +######################################## > +## > +## Getattr on mount_runtime_t > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`stat_mount_var_run',` > + gen_require(` > + type mount_runtime_t; > + ') > + > + allow $1 mount_runtime_t:file getattr; > +') > + > +######################################## > +## > +## rw mount_runtime_t files > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`mount_runtime_rw',` > + gen_require(` > + type mount_runtime_t; > + ') > + > + allow $1 mount_runtime_t:dir search; > + allow $1 mount_runtime_t:file rw_file_perms; > +') -- Chris PeBenito