policy_module(bootloader,1.1.1) ######################################## # # Declarations # attribute rw_kern_modules; # # boot_t is the type for files in /boot # type boot_t; files_type(boot_t) files_mountpoint(boot_t) # # boot_runtime_t is the type for /boot/kernel.h, # which is automatically generated at boot time. # only for Red Hat # type boot_runtime_t; files_type(boot_runtime_t) type bootloader_t; domain_type(bootloader_t) role system_r types bootloader_t; type bootloader_exec_t; domain_entry_file(bootloader_t,bootloader_exec_t) # # bootloader_etc_t is the configuration file, # grub.conf, lilo.conf, etc. # type bootloader_etc_t alias etc_bootloader_t; files_type(bootloader_etc_t) # # The temp file is used for initrd creation; # it consists of files and device nodes # type bootloader_tmp_t; files_tmp_file(bootloader_tmp_t) dev_node(bootloader_tmp_t) # kernel modules type modules_object_t; files_type(modules_object_t) #neverallow ~rw_kern_modules modules_object_t:file { create append write }; # # system_map_t is for the system.map files in /boot # type system_map_t; files_type(system_map_t) # # /var/log/ksyms # cjp: this probably can be removed, I do not # think it is used on 2.6 kernels type var_log_ksyms_t; logging_log_file(var_log_ksyms_t) ######################################## # # bootloader local policy # allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin mknod chown }; allow bootloader_t self:process { sigkill sigstop signull signal }; allow bootloader_t self:fifo_file { getattr read write }; allow bootloader_t boot_t:dir { create rw_dir_perms }; allow bootloader_t boot_t:file create_file_perms; allow bootloader_t boot_t:lnk_file create_lnk_perms; allow bootloader_t bootloader_etc_t:file r_file_perms; # uncomment the following lines if you use "lilo -p" #allow bootloader_t bootloader_etc_t:file { create ioctl read getattr lock write setattr append link unlink rename }; #files_filetrans_etc(bootloader_t,bootloader_etc_t) allow bootloader_t bootloader_tmp_t:dir create_dir_perms; allow bootloader_t bootloader_tmp_t:file create_file_perms; allow bootloader_t bootloader_tmp_t:chr_file create_file_perms; allow bootloader_t bootloader_tmp_t:blk_file create_file_perms; allow bootloader_t bootloader_tmp_t:lnk_file create_lnk_perms; files_filetrans_tmp(bootloader_t,bootloader_tmp_t,{ dir file lnk_file chr_file blk_file }) # for tune2fs (cjp: ?) files_filetrans_root(bootloader_t,bootloader_tmp_t) allow bootloader_t modules_object_t:dir r_dir_perms; allow bootloader_t modules_object_t:file r_file_perms; allow bootloader_t modules_object_t:lnk_file r_file_perms; kernel_getattr_core(bootloader_t) kernel_read_system_state(bootloader_t) kernel_read_software_raid_state(bootloader_t) kernel_read_kernel_sysctl(bootloader_t) storage_raw_read_fixed_disk(bootloader_t) storage_raw_write_fixed_disk(bootloader_t) storage_raw_read_removable_device(bootloader_t) storage_raw_write_removable_device(bootloader_t) dev_getattr_all_chr_files(bootloader_t) dev_getattr_all_blk_files(bootloader_t) dev_dontaudit_rw_generic_dev_nodes(bootloader_t) dev_read_rand(bootloader_t) dev_read_urand(bootloader_t) dev_getattr_sysfs_dir(bootloader_t) # for reading BIOS data dev_read_raw_memory(bootloader_t) fs_getattr_xattr_fs(bootloader_t) term_getattr_all_user_ttys(bootloader_t) term_dontaudit_manage_pty_dir(bootloader_t) corecmd_exec_bin(bootloader_t) corecmd_exec_sbin(bootloader_t) corecmd_exec_shell(bootloader_t) domain_exec_all_entry_files(bootloader_t) domain_use_wide_inherit_fd(bootloader_t) files_read_etc_files(bootloader_t) files_exec_etc_files(bootloader_t) files_read_etc_runtime_files(bootloader_t) files_read_usr_src_files(bootloader_t) files_read_usr_files(bootloader_t) files_read_var_files(bootloader_t) # for nscd files_dontaudit_search_pids(bootloader_t) init_getattr_initctl(bootloader_t) init_use_script_pty(bootloader_t) init_use_script_fd(bootloader_t) init_rw_script_pipe(bootloader_t) libs_use_ld_so(bootloader_t) libs_use_shared_libs(bootloader_t) libs_read_lib(bootloader_t) libs_exec_lib_files(bootloader_t) logging_send_syslog_msg(bootloader_t) logging_rw_generic_logs(bootloader_t) miscfiles_read_localization(bootloader_t) seutil_read_binary_pol(bootloader_t) seutil_read_loadpol(bootloader_t) seutil_dontaudit_search_config(bootloader_t) ifdef(`distro_debian',` allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto }; allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink }; allow bootloader_t boot_t:file relabelfrom; fs_list_tmpfs(bootloader_t) files_relabelto_usr_files(bootloader_t) files_search_var_lib(bootloader_t) # for /usr/share/initrd-tools/scripts files_exec_usr_files(bootloader_t) fstools_manage_entry_files(bootloader_t) fstools_relabelto_entry_files(bootloader_t) libs_relabelto_lib_files(bootloader_t) ') ifdef(`distro_redhat',` # for memlock allow bootloader_t self:capability ipc_lock; # new file system defaults to file_t, granting file_t access is still bad. allow bootloader_t boot_runtime_t:file { r_file_perms unlink }; # mkinitrd mount initrd on bootloader temp dir files_mountpoint(bootloader_tmp_t) # new file system defaults to file_t, granting file_t access is still bad. files_manage_isid_type_dir(bootloader_t) files_manage_isid_type_file(bootloader_t) files_manage_isid_type_symlink(bootloader_t) files_manage_isid_type_blk_node(bootloader_t) files_manage_isid_type_chr_node(bootloader_t) # for mke2fs mount_domtrans(bootloader_t) ') ifdef(`targeted_policy',` term_use_unallocated_tty(bootloader_t) term_use_generic_pty(bootloader_t) ') optional_policy(`fstools',` fstools_exec(bootloader_t) ') optional_policy(`lvm',` dev_rw_lvm_control(bootloader_t) lvm_domtrans(bootloader_t) lvm_read_config(bootloader_t) ') optional_policy(`modutils',` modutils_exec_insmod(bootloader_t) modutils_read_mods_deps(bootloader_t) modutils_read_module_conf(bootloader_t) modutils_exec_insmod(bootloader_t) modutils_exec_depmod(bootloader_t) modutils_exec_update_mods(bootloader_t) ') optional_policy(`nscd',` nscd_use_socket(bootloader_t) ') optional_policy(`rpm',` rpm_rw_pipe(bootloader_t) ') optional_policy(`userdomain',` userdom_dontaudit_search_staff_home_dir(bootloader_t) userdom_dontaudit_search_sysadm_home_dir(bootloader_t) ') ifdef(`TODO',` ifdef(`distro_debian', ` # cjp: there is no setfscreate or type_transition, and # bootloader_t cannot rw a usr_t or lib_t directory, so # how can this work? This is probably rw_file_perms, # possibly with unlink. Files are probably "created" # by the above relabeling permissions. allow bootloader_t { usr_t lib_t }:file create_file_perms; allow bootloader_t dpkg_var_lib_t:dir r_dir_perms; allow bootloader_t dpkg_var_lib_t:file { getattr read }; ') ') dnl end TODO