Policy for the kernel modules, kernel image, and bootloader.

######################################## ##

## Execute bootloader in the bootloader domain. ##

## ##

## Domain allowed to transition. ##

## # interface(`bootloader_domtrans',` gen_require(` type bootloader_t, bootloader_exec_t; ') domtrans_pattern($1, bootloader_exec_t, bootloader_t) ') ######################################## ##

## Execute bootloader interactively and do ## a domain transition to the bootloader domain. ##

## ##

## Domain allowed to transition. ##

## ## ##

## Role allowed access. ##

## ## # interface(`bootloader_run',` gen_require(` type bootloader_t; ') bootloader_domtrans($1) role $2 types bootloader_t; ifdef(`distro_redhat',` # for mke2fs mount_run(bootloader_t, $2) ') ') ######################################## ##

## Read the bootloader configuration file. ##

## ##

## Domain allowed access. ##

## # interface(`bootloader_read_config',` gen_require(` type bootloader_etc_t; ') allow $1 bootloader_etc_t:file read_file_perms; ') ######################################## ##

## Read and write the bootloader ## configuration file. ##

## ##

## Domain allowed access. ##

## ## # interface(`bootloader_rw_config',` gen_require(` type bootloader_etc_t; ') allow $1 bootloader_etc_t:file rw_file_perms; ') ######################################## ##

## Read and write the bootloader ## temporary data in /tmp. ##

## ##

## Domain allowed access. ##

## # interface(`bootloader_rw_tmp_files',` gen_require(` type bootloader_tmp_t; ') # FIXME: read tmp_t dir allow $1 bootloader_tmp_t:file rw_file_perms; ') ######################################## ##

## Read and write the bootloader ## temporary data in /tmp. ##

## ##

## Domain allowed access. ##

## # interface(`bootloader_create_runtime_file',` gen_require(` type boot_runtime_t; ') allow $1 boot_runtime_t:file { create_file_perms rw_file_perms }; files_boot_filetrans($1, boot_runtime_t, file) ')