LinuxLists.cc - [refpolicy] [PATCH v2] bootloader: grub needs to manage grub.cfg and read kernels

2017-02-05 10:13:29

Subject: [refpolicy] [PATCH v2] bootloader: grub needs to manage grub.cfg and read kernels

commit b0c13980d224c49207315154905eb7fcb90f289d
broke grub-mkconfig which needs to be able to update the grub.cfg file.
Remove the fcontext for grub.cfg so it can update the file.

Also, grub needs to be able to read the kernels and symlinks to them so
it can add them to the config.

$ grub-mkconfig -o /boot/grub/grub.cfg
Generating grub configuration file ...
mv: cannot move '/boot/grub/grub.cfg.new' to '/boot/grub/grub.cfg':
Permission denied

type=AVC msg=audit(1486273313.557:26703): avc: denied { unlink } for pid=10757 comm="mv" name="grub.cfg" dev="md1" ino=10070 scontext=staff_u:sysadm_r:bootloader_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bootloader_etc_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1486273313.557:26703): arch=c000003e syscall=82 success=no exit=-13 a0=3a93725fbef a1=3a93725fc07 a2=0 a3=2 items=4 ppid=9489 pid=10757 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=4 comm="mv" exe="/bin/mv" subj=staff_u:sysadm_r:bootloader_t:s0-s0:c0.c1023 key=(null)
type=CWD msg=audit(1486273313.557:26703): cwd="/root"
type=PATH msg=audit(1486273313.557:26703): item=0 name="/boot/grub/" inode=10041 dev=09:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bootloader_run_t:s0 nametype=PARENT
type=PATH msg=audit(1486273313.557:26703): item=1 name="/boot/grub/" inode=10041 dev=09:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bootloader_run_t:s0 nametype=PARENT
type=PATH msg=audit(1486273313.557:26703): item=2 name="/boot/grub/grub.cfg.new" inode=10072 dev=09:01 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:bootloader_run_t:s0 nametype=DELETE
type=PATH msg=audit(1486273313.557:26703): item=3 name="/boot/grub/grub.cfg" inode=10070 dev=09:01 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bootloader_etc_t:s0 nametype=DELETE
---
policy/modules/admin/bootloader.fc | 3 ---
policy/modules/admin/bootloader.te | 2 ++
2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
index c43c428..d62e8e3 100644
--- a/policy/modules/admin/bootloader.fc
+++ b/policy/modules/admin/bootloader.fc
@@ -1,9 +1,6 @@
/boot/grub.* -d gen_context(system_u:object_r:bootloader_run_t,s0)
/boot/grub.*/.* gen_context(system_u:object_r:bootloader_run_t,s0)

-/boot/grub.*/grub.cfg -- gen_context(system_u:object_r:bootloader_etc_t,s0)
-/boot/grub.*/grub.conf -- gen_context(system_u:object_r:bootloader_etc_t,s0)
-
/etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
/etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
/etc/grub.d(/.*)? -- gen_context(system_u:object_r:bootloader_etc_t,s0)
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index 962cfd0..e5669b5 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -108,6 +108,8 @@ corecmd_exec_all_executables(bootloader_t)
domain_use_interactive_fds(bootloader_t)

files_create_boot_dirs(bootloader_t)
+files_read_boot_files(bootloader_t)
+files_read_boot_symlinks(bootloader_t)
files_read_etc_files(bootloader_t)
files_read_usr_src_files(bootloader_t)
files_read_usr_files(bootloader_t)
--
2.10.2

2017-02-05 10:19:12

by Jason Zaman

[permalink] [raw]

Subject: [refpolicy] [PATCH v2] bootloader: grub needs to manage grub.cfg and read kernels

This patch fixes it for me now. But I doubt if it'll work for lilo or
the other things listed in the fcontexts file. And its mostly reverted
the original patch so im thinking perhaps just completely reverting it
is the more sane option.

-- Jason

On Sun, Feb 05, 2017 at 06:13:29PM +0800, Jason Zaman wrote:
> commit b0c13980d224c49207315154905eb7fcb90f289d
> broke grub-mkconfig which needs to be able to update the grub.cfg file.
> Remove the fcontext for grub.cfg so it can update the file.
>
> Also, grub needs to be able to read the kernels and symlinks to them so
> it can add them to the config.
>
> $ grub-mkconfig -o /boot/grub/grub.cfg
> Generating grub configuration file ...
> mv: cannot move '/boot/grub/grub.cfg.new' to '/boot/grub/grub.cfg':
> Permission denied
>
> type=AVC msg=audit(1486273313.557:26703): avc: denied { unlink } for pid=10757 comm="mv" name="grub.cfg" dev="md1" ino=10070 scontext=staff_u:sysadm_r:bootloader_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bootloader_etc_t:s0 tclass=file permissive=0
> type=SYSCALL msg=audit(1486273313.557:26703): arch=c000003e syscall=82 success=no exit=-13 a0=3a93725fbef a1=3a93725fc07 a2=0 a3=2 items=4 ppid=9489 pid=10757 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=4 comm="mv" exe="/bin/mv" subj=staff_u:sysadm_r:bootloader_t:s0-s0:c0.c1023 key=(null)
> type=CWD msg=audit(1486273313.557:26703): cwd="/root"
> type=PATH msg=audit(1486273313.557:26703): item=0 name="/boot/grub/" inode=10041 dev=09:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bootloader_run_t:s0 nametype=PARENT
> type=PATH msg=audit(1486273313.557:26703): item=1 name="/boot/grub/" inode=10041 dev=09:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bootloader_run_t:s0 nametype=PARENT
> type=PATH msg=audit(1486273313.557:26703): item=2 name="/boot/grub/grub.cfg.new" inode=10072 dev=09:01 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:bootloader_run_t:s0 nametype=DELETE
> type=PATH msg=audit(1486273313.557:26703): item=3 name="/boot/grub/grub.cfg" inode=10070 dev=09:01 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bootloader_etc_t:s0 nametype=DELETE
> ---
> policy/modules/admin/bootloader.fc | 3 ---
> policy/modules/admin/bootloader.te | 2 ++
> 2 files changed, 2 insertions(+), 3 deletions(-)
>
> diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
> index c43c428..d62e8e3 100644
> --- a/policy/modules/admin/bootloader.fc
> +++ b/policy/modules/admin/bootloader.fc
> @@ -1,9 +1,6 @@
> /boot/grub.* -d gen_context(system_u:object_r:bootloader_run_t,s0)
> /boot/grub.*/.* gen_context(system_u:object_r:bootloader_run_t,s0)
>
> -/boot/grub.*/grub.cfg -- gen_context(system_u:object_r:bootloader_etc_t,s0)
> -/boot/grub.*/grub.conf -- gen_context(system_u:object_r:bootloader_etc_t,s0)
> -
> /etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
> /etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
> /etc/grub.d(/.*)? -- gen_context(system_u:object_r:bootloader_etc_t,s0)
> diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
> index 962cfd0..e5669b5 100644
> --- a/policy/modules/admin/bootloader.te
> +++ b/policy/modules/admin/bootloader.te
> @@ -108,6 +108,8 @@ corecmd_exec_all_executables(bootloader_t)
> domain_use_interactive_fds(bootloader_t)
>
> files_create_boot_dirs(bootloader_t)
> +files_read_boot_files(bootloader_t)
> +files_read_boot_symlinks(bootloader_t)
> files_read_etc_files(bootloader_t)
> files_read_usr_src_files(bootloader_t)
> files_read_usr_files(bootloader_t)
> --
> 2.10.2
>