diff --git a/refpolicy/policy/modules/kernel/bootloader.if b/refpolicy/policy/modules/kernel/bootloader.if index 66bbae60..72ba9471 100644 --- a/refpolicy/policy/modules/kernel/bootloader.if +++ b/refpolicy/policy/modules/kernel/bootloader.if @@ -34,9 +34,8 @@ define(`bootloader_domtrans_depend',` ######################################## ## ## -## Execute bootloader in the bootloader domain, and -## allow the specified role the bootloader domain, -## and use the caller's terminal. +## Execute bootloader interactively and do +## a domain transition to the bootloader domain. ## ## ## The type of the process performing this action. @@ -64,49 +63,68 @@ define(`bootloader_run_depend',` ') ######################################## +## +## +## Search the /boot directory. +## +## +## The type of the process performing this action. +## +## # -# bootloader_search_bootloader_data_directory(domain) -# -define(`bootloader_search_bootloader_data_directory',` +define(`bootloader_search_boot_dir',` requires_block_template(`$0'_depend) allow $1 boot_t:dir search; ') -define(`bootloader_search_bootloader_data_directory_depend',` +define(`bootloader_search_boot_dir_depend',` type boot_t; class dir search; ') ######################################## +## +## +## Do not audit attempts to search the /boot directory. +## +## +## The type of the process performing this action. +## +## # -# bootloader_ignore_search_bootloader_data_directory(domain) -# -define(`bootloader_ignore_search_bootloader_data_directory',` +define(`bootloader_dontaudit_search_boot_dir',` requires_block_template(`$0'_depend) dontaudit $1 boot_t:dir search; ') -define(`bootloader_ignore_search_bootloader_data_directory_depend',` +define(`bootloader_dontaudit_search_boot_dir_depend',` type boot_t; class dir search; ') ######################################## +## +## +## Read and write symbolic links +## in the /boot directory. +## +## +## The type of the process performing this action. +## +## # -# bootloader_modify_bootloader_data_directory_symbolic_links(domain) -# -define(`bootloader_modify_bootloader_data_directory_symbolic_links',` +define(`bootloader_rw_boot_symlinks',` requires_block_template(`$0'_depend) allow $1 boot_t:dir r_dir_perms; allow $1 boot_t:lnk_file rw_file_perms; ') -define(`bootloader_modify_bootloader_data_directory_symbolic_links_depend',` +define(`bootloader_rw_boot_symlinks_depend',` type boot_t; class dir r_dir_perms; @@ -114,10 +132,16 @@ define(`bootloader_modify_bootloader_data_directory_symbolic_links_depend',` ') ######################################## +## +## +## Install a kernel into the /boot directory. +## +## +## The type of the process performing this action. +## +## # -# bootloader_install_kernel(domain) -# -define(`bootloader_install_kernel',` +define(`bootloader_create_kernel',` requires_block_template(`$0'_depend) allow $1 boot_t:dir ra_dir_perms; @@ -125,7 +149,7 @@ define(`bootloader_install_kernel',` allow $1 boot_t:lnk_file { getattr read create unlink }; ') -define(`bootloader_install_kernel_depend',` +define(`bootloader_create_kernel_depend',` type boot_t; class dir ra_dir_perms; @@ -134,37 +158,23 @@ define(`bootloader_install_kernel_depend',` ') ######################################## +## +## +## Install a system.map into the /boot directory. +## +## +## The type of the process performing this action. +## +## # -# bootloader_install_initrd(domain) -# -define(`bootloader_install_initrd',` - requires_block_template(`$0'_depend) - - allow $1 boot_t:dir ra_dir_perms; - allow $1 boot_t:file { getattr read write create }; - allow $1 boot_t:lnk_file { getattr read create unlink }; -') - -define(`bootloader_install_initrd_depend',` - type boot_t; - - class dir ra_dir_perms; - class file { getattr read write create }; - class lnk_file { getattr read create unlink }; -') - -######################################## -# -# bootloader_install_kernel_symbol_table(domain) -# -define(`bootloader_install_kernel_symbol_table',` +define(`bootloader_create_kernel_symbol_table',` requires_block_template(`$0'_depend) allow $1 boot_t:dir ra_dir_perms; allow $1 system_map_t:file { rw_file_perms create }; ') -define(`bootloader_install_kernel_symbol_table_depend',` +define(`bootloader_create_kernel_symbol_table_depend',` type boot_t, system_map_t; class dir ra_dir_perms; @@ -172,8 +182,14 @@ define(`bootloader_install_kernel_symbol_table_depend',` ') ######################################## -# -# bootloader_read_kernel_symbol_table(domain) +## +## +## Read system.map in the /boot directory. +## +## +## The type of the process performing this action. +## +## # define(`bootloader_read_kernel_symbol_table',` requires_block_template(`$0'_depend) @@ -190,17 +206,23 @@ define(`bootloader_read_kernel_symbol_table_depend',` ') ######################################## +## +## +## Delete a kernel from /boot. +## +## +## The type of the process performing this action. +## +## # -# bootloader_remove_kernel(domain) -# -define(`bootloader_remove_kernel',` +define(`bootloader_delete_kernel',` requires_block_template(`$0'_depend) allow $1 boot_t:dir { r_dir_perms write remove_name }; allow $1 boot_t:file { getattr unlink }; ') -define(`bootloader_remove_kernel_depend',` +define(`bootloader_delete_kernel_depend',` type boot_t; class dir { r_dir_perms write remove_name }; @@ -208,17 +230,23 @@ define(`bootloader_remove_kernel_depend',` ') ######################################## +## +## +## Delete a system.map in the /boot directory. +## +## +## The type of the process performing this action. +## +## # -# bootloader_remove_kernel_symbol_table(domain) -# -define(`bootloader_remove_kernel_symbol_table',` +define(`bootloader_delete_kernel_symbol_table',` requires_block_template(`$0'_depend) allow $1 boot_t:dir { r_dir_perms write remove_name }; allow $1 system_map_t:file { getattr unlink }; ') -define(`bootloader_remove_kernel_symbol_table_depend',` +define(`bootloader_delete_kernel_symbol_table_depend',` type boot_t, system_map_t; class dir { r_dir_perms write remove_name }; @@ -226,8 +254,14 @@ define(`bootloader_remove_kernel_symbol_table_depend',` ') ######################################## -# -# bootloader_read_config(domain) +## +## +## Read the bootloader configuration file. +## +## +## The type of the process performing this action. +## +## # define(`bootloader_read_config',` requires_block_template(`$0'_depend) @@ -242,43 +276,64 @@ define(`bootloader_read_config_depend',` ') ######################################## +## +## +## Read and write the bootloader +## configuration file. +## +## +## The type of the process performing this action. +## +## # -# bootloader_rw_config(domain) -# -define(`bootloader_rw_bootloader_config',` +define(`bootloader_rw_config',` requires_block_template(`$0'_depend) allow $1 bootloader_etc_t:file rw_file_perms; ') -define(`bootloader_rw_bootloader_config_depend',` +define(`bootloader_rw_config_depend',` type bootloader_etc_t; class file rw_file_perms; ') ######################################## +## +## +## Read and write the bootloader +## temporary data in /tmp. +## +## +## The type of the process performing this action. +## +## # -# bootloader_rw_temp_data(domain) -# -define(`bootloader_rw_temp_data',` +define(`bootloader_rw_tmp_file',` requires_block_template(`$0'_depend) # FIXME: read tmp_t allow $1 bootloader_tmp_t:file rw_file_perms; ') -define(`bootloader_rw_temp_data_depend',` +define(`bootloader_rw_tmp_file_depend',` type bootloader_tmp_t; class file rw_file_perms; ') ######################################## +## +## +## Read and write the bootloader +## temporary data in /tmp. +## +## +## The type of the process performing this action. +## +## # -# bootloader_create_runtime_data(domain) -# -define(`bootloader_create_runtime_data',` +define(`bootloader_create_runtime_file',` requires_block_template(`$0'_depend) allow $1 boot_t:dir rw_dir_perms; @@ -286,7 +341,7 @@ define(`bootloader_create_runtime_data',` type_transition $1 boot_t:file boot_runtime_t; ') -define(`bootloader_create_runtime_data_depend',` +define(`bootloader_create_runtime_file_depend',` type boot_t, boot_runtime_t; class dir rw_dir_perms; @@ -294,8 +349,14 @@ define(`bootloader_create_runtime_data_depend',` ') ######################################## -# -# bootloader_list_kernel_modules(domain) +## +## +## List the contents of the kernel module directories. +## +## +## The type of the process performing this action. +## +## # define(`bootloader_list_kernel_modules',` requires_block_template(`$0'_depend) @@ -310,8 +371,14 @@ define(`bootloader_list_kernel_modules_depend',` ') ######################################## -# -# bootloader_read_kernel_modules(domain) +## +## +## Read kernel module files. +## +## +## The type of the process performing this action. +## +## # define(`bootloader_read_kernel_modules',` requires_block_template(`$0'_depend) @@ -330,14 +397,20 @@ define(`bootloader_read_kernel_modules_depend',` ') ######################################## -# -# bootloader_write_kernel_modules(domain) +## +## +## Write kernel module files. +## +## +## The type of the process performing this action. +## +## # define(`bootloader_write_kernel_modules',` requires_block_template(`$0'_depend) allow $1 modules_object_t:dir r_dir_perms; - allow $1 modules_object_t:file write; + allow $1 modules_object_t:file { write append }; typeattribute $1 can_modify_kernel_modules; ') @@ -348,12 +421,19 @@ define(`bootloader_write_kernel_modules_depend',` type modules_object_t; class dir r_dir_perms; - class file write; + class file { write append }; ') ######################################## -# -# bootloader_manage_kernel_modules(domain) +## +## +## Create, read, write, and delete +## kernel module files. +## +## +## The type of the process performing this action. +## +## # define(`bootloader_manage_kernel_modules',` requires_block_template(`$0'_depend)