# Copyright (C) 2005 Tresys Technology, LLC
## <module name="bootloader" layer="kernel">
## <summary>Policy for the kernel modules, kernel image, and bootloader.</summary>

########################################
## <interface name="bootloader_transition">
##	<description>
##		Execute bootloader in the bootloader domain.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
##	<infoflow type="write" weight="10"/>
## </interface>
#
define(`bootloader_transition',`
requires_block_template(`$0'_depend)
allow $1 bootloader_exec_t:file { getattr read execute };
allow $1 bootloader_t:process transition;
type_transition $1 bootloader_exec_t:file bootloader_t;
dontaudit $1 bootloader_t:process { noatsecure siginh rlimitinh };
')

define(`bootloader_transition_depend',`
type bootloader_t;
class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh };
')

########################################
## <interface name="bootloader_transition_add_role_use_terminal">
##	<description>
##		Execute bootloader in the bootloader domain, and
##		allow the specified role the bootloader domain,
##		and use the caller's terminal.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
##	<parameter name="role">
##		The role to be allowed the bootloader domain.
##	</parameter>
##	<parameter name="terminal">
##		The type of the terminal allow the bootloader domain to use.
##	</parameter>
##	<infoflow type="write" weight="10"/>
## </interface>
#
define(`bootloader_transition_add_role_use_terminal',`
requires_block_template(`$0'_depend)
bootloader_transition($1)
role $2 types bootloader_t;
allow bootloader_t $3:chr_file { getattr read write ioctl };
')

define(`bootloader_transition_add_role_use_terminal_depend',`
type bootloader_t;
class chr_file { getattr read write ioctl };
')

########################################
#
# bootloader_search_bootloader_data_directory(domain)
#
define(`bootloader_search_bootloader_data_directory',`
requires_block_template(`$0'_depend)
allow $1 boot_t:dir search;
')

define(`bootloader_search_bootloader_data_directory_depend',`
type boot_t;
class dir search;
')

########################################
#
# bootloader_ignore_search_bootloader_data_directory(domain)
#
define(`bootloader_ignore_search_bootloader_data_directory',`
requires_block_template(`$0'_depend)
dontaudit $1 boot_t:dir search;
')

define(`bootloader_ignore_search_bootloader_data_directory_depend',`
type boot_t;
class dir search;
')

########################################
#
# bootloader_install_kernel(domain)
#
define(`bootloader_install_kernel',`
requires_block_template(`$0'_depend)
allow $1 boot_t:dir { getattr search read write add_name };
allow $1 boot_t:file { getattr read write create };
allow $1 boot_t:lnk_file { getattr read create unlink };
')

define(`bootloader_install_kernel_depend',`
type boot_t;
class dir { getattr search read write add_name };
class file { getattr read write create };
class lnk_file { getattr read create unlink };
')

########################################
#
# bootloader_install_initrd(domain)
#
define(`bootloader_install_initrd',`
requires_block_template(`$0'_depend)
allow $1 boot_t:dir { getattr search read write add_name };
allow $1 boot_t:file { getattr read write create };
allow $1 boot_t:lnk_file { getattr read create unlink };
')

define(`bootloader_install_initrd_depend',`
type boot_t;
class dir { getattr search read write add_name };
class file { getattr read write create };
class lnk_file { getattr read create unlink };
')

########################################
#
# bootloader_install_kernel_symbol_table(domain)
#
define(`bootloader_install_kernel_symbol_table',`
requires_block_template(`$0'_depend)
allow $1 boot_t:dir { getattr search read write add_name };
allow $1 system_map_t:file { getattr read write create };
')

define(`bootloader_install_kernel_symbol_table_depend',`
type boot_t, system_map_t;
class dir { getattr search read write add_name };
class file { getattr read write create };
')

########################################
#
# bootloader_read_kernel_symbol_table(domain)
#
define(`bootloader_read_kernel_symbol_table',`
requires_block_template(`$0'_depend)
allow $1 boot_t:dir { getattr search read };
allow $1 system_map_t:file { getattr read };
')

define(`bootloader_read_kernel_symbol_table_depend',`
type boot_t, system_map_t;
class dir { getattr search read };
class file { getattr read };
')

########################################
#
# bootloader_remove_kernel(domain)
#
define(`bootloader_remove_kernel',`
requires_block_template(`$0'_depend)
allow $1 boot_t:dir { getattr search read write remove_name };
allow $1 boot_t:file { getattr unlink };
')

define(`bootloader_remove_kernel_depend',`
type boot_t;
class dir { getattr search read write remove_name };
class file { getattr unlink };
')

########################################
#
# bootloader_remove_kernel_symbol_table(domain)
#
define(`bootloader_remove_kernel_symbol_table',`
requires_block_template(`$0'_depend)
allow $1 boot_t:dir { getattr search read write remove_name };
allow $1 system_map_t:file { getattr unlink };
')

define(`bootloader_remove_kernel_symbol_table_depend',`
type boot_t, system_map_t;
class dir { getattr search read write remove_name };
class file { getattr unlink };
')

########################################
#
# bootloader_read_config(domain)
#
define(`bootloader_read_config',`
requires_block_template(`$0'_depend)
allow $1 bootloader_etc_t:file { getattr read };
')

define(`bootloader_read_config_depend',`
type bootloader_etc_t;
class file { getattr read };
')

########################################
#
# bootloader_modify_config(domain)
#
define(`bootloader_modify_bootloader_config',`
requires_block_template(`$0'_depend)
allow $1 bootloader_etc_t:file { getattr read write append };
')

define(`bootloader_modify_bootloader_config_depend',`
type bootloader_etc_t;
class file { getattr read write append };
')

########################################
#
# bootloader_modify_temporary_data(domain)
#
define(`bootloader_modify_temporary_data',`
requires_block_template(`$0'_depend)
# FIXME: read tmp_t
allow $1 bootloader_tmp_t:file { getattr read write };
')

define(`bootloader_modify_temporary_data_depend',`
type bootloader_tmp_t;
class file { getattr read write setattr };
')

########################################
#
# bootloader_create_runtime_data(domain)
#
define(`bootloader_create_runtime_data',`
requires_block_template(`$0'_depend)
allow $1 boot_t:dir { getattr search read write add_name remove_name };
allow $1 boot_runtime_t:file { getattr create read write append unlink };
type_transition $1 boot_t:file boot_runtime_t;
')

define(`bootloader_create_runtime_data_depend',`
type boot_t, boot_runtime_t;
class dir { getattr search read write add_name remove_name };
class file { getattr create read write append unlink };
')

########################################
#
# bootloader_list_kernel_modules(domain)
#
define(`bootloader_list_kernel_modules',`
requires_block_template(`$0'_depend)
allow $1 modules_object_t:dir { getattr search read };
')

define(`bootloader_list_kernel_modules_depend',`
type modules_object_t;
class dir { getattr search read };
')

########################################
#
# bootloader_read_kernel_modules(domain)
#
define(`bootloader_read_kernel_modules',`
requires_block_template(`$0'_depend)
allow $1 modules_object_t:dir { getattr search read };
allow $1 modules_object_t:{ lnk_file file } { getattr read };
')

define(`bootloader_read_kernel_modules_depend',`
type modules_object_t;
class dir { getattr search read };
class lnk_file { getattr read };
class file { getattr read };
')

########################################
#
# bootloader_modify_kernel_modules(domain)
#
define(`bootloader_modify_kernel_modules',`
requires_block_template(`$0'_depend)
allow $1 modules_object_t:file { getattr create read write setattr unlink };
allow $1 modules_object_t:dir { getattr search read write add_name remove_name };
')

define(`bootloader_modify_kernel_modules_depend',`
type modules_object_t;
class file { getattr create read write setattr unlink };
class dir { getattr search read write add_name remove_name };
')

########################################
#
# bootloader_create_private_module_dir_entry(domain,privatetype,[class(es)])
#
define(`bootloader_create_private_module_dir_entry',`
requires_block_template(`$0'_depend)
allow $1 modules_object_t:dir { getattr search read write add_name remove_name };
ifelse(`$3',`',`
type_transition $1 modules_object_t:file $2;
',`
type_transition $1 modules_object_t:$3 $2;
') dnl end ifelse
')

define(`bootloader_create_private_module_dir_entry_depend',`
type modules_object_t;
class dir { getattr search read write add_name remove_name };
')

## </module>