## Policy for the kernel modules, kernel image, and bootloader. ######################################## ## ## Execute bootloader in the bootloader domain. ## ## ## ## Domain allowed access. ## ## # interface(`bootloader_domtrans',` gen_require(` type bootloader_t, bootloader_exec_t; ') domtrans_pattern($1, bootloader_exec_t, bootloader_t) ') ######################################## ## ## Execute bootloader interactively and do ## a domain transition to the bootloader domain. ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed the bootloader domain. ## ## ## # interface(`bootloader_run',` gen_require(` type bootloader_t; ') bootloader_domtrans($1) role $2 types bootloader_t; ifdef(`distro_redhat',` # for mke2fs mount_run(bootloader_t, $2) ') ') ######################################## ## ## Read the bootloader configuration file. ## ## ## ## Domain allowed access. ## ## # interface(`bootloader_read_config',` gen_require(` type bootloader_etc_t; ') allow $1 bootloader_etc_t:file read_file_perms; ') ######################################## ## ## Read and write the bootloader ## configuration file. ## ## ## ## Domain allowed access. ## ## ## # interface(`bootloader_rw_config',` gen_require(` type bootloader_etc_t; ') allow $1 bootloader_etc_t:file rw_file_perms; ') ######################################## ## ## Read and write the bootloader ## temporary data in /tmp. ## ## ## ## Domain allowed access. ## ## # interface(`bootloader_rw_tmp_files',` gen_require(` type bootloader_tmp_t; ') # FIXME: read tmp_t dir allow $1 bootloader_tmp_t:file rw_file_perms; ') ######################################## ## ## Read and write the bootloader ## temporary data in /tmp. ## ## ## ## Domain allowed access. ## ## # interface(`bootloader_create_runtime_file',` gen_require(` type boot_runtime_t; ') allow $1 boot_runtime_t:file { create_file_perms rw_file_perms }; files_boot_filetrans($1, boot_runtime_t, file) ')