selinux-policy/refpolicy/policy/modules/kernel/bootloader.te
2005-06-14 20:48:34 +00:00

217 lines
6.1 KiB
Plaintext

policy_module(bootloader,1.0)
########################################
#
# Declarations
#
attribute rw_kern_modules;
#
# boot_t is the type for files in /boot
#
type boot_t;
files_file_type(boot_t)
files_mountpoint(boot_t)
#
# boot_runtime_t is the type for /boot/kernel.h,
# which is automatically generated at boot time.
# only for Red Hat
#
type boot_runtime_t;
files_file_type(boot_runtime_t)
type bootloader_t;
domain_type(bootloader_t)
role system_r types bootloader_t;
type bootloader_exec_t;
domain_entry_file(bootloader_t,bootloader_exec_t)
#
# bootloader_etc_t is the configuration file,
# grub.conf, lilo.conf, etc.
#
type bootloader_etc_t alias etc_bootloader_t;
files_file_type(bootloader_etc_t)
#
# The temp file is used for initrd creation;
# it consists of files and device nodes
#
type bootloader_tmp_t;
files_tmp_file(bootloader_tmp_t)
dev_node(bootloader_tmp_t)
# kernel modules
type modules_object_t;
files_file_type(modules_object_t)
neverallow ~rw_kern_modules modules_object_t:file { create append write };
#
# system_map_t is for the system.map files in /boot
#
type system_map_t;
files_file_type(system_map_t)
########################################
#
# bootloader local policy
#
allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin mknod chown };
allow bootloader_t self:process { sigkill sigstop signull signal };
allow bootloader_t self:fifo_file { getattr read write };
allow bootloader_t boot_t:dir ra_dir_perms;
allow bootloader_t boot_t:file { rw_file_perms create };
allow bootloader_t boot_t:lnk_file { r_file_perms create unlink };
allow bootloader_t bootloader_etc_t:file r_file_perms;
# uncomment the following lines if you use "lilo -p"
#allow bootloader_t bootloader_etc_t:file { create ioctl read getattr lock write setattr append link unlink rename };
#files_create_etc_config(bootloader_t,bootloader_etc_t)
allow bootloader_t bootloader_tmp_t:dir create_dir_perms;
allow bootloader_t bootloader_tmp_t:file create_file_perms;
allow bootloader_t bootloader_tmp_t:chr_file create_file_perms;
allow bootloader_t bootloader_tmp_t:blk_file create_file_perms;
allow bootloader_t bootloader_tmp_t:lnk_file create_lnk_perms;
files_create_tmp_files(bootloader_t,bootloader_tmp_t,{ dir file lnk_file chr_file blk_file })
# for tune2fs (cjp: ?)
files_create_root(bootloader_t,bootloader_tmp_t)
allow bootloader_t modules_object_t:dir r_dir_perms;
allow bootloader_t modules_object_t:file r_file_perms;
allow bootloader_t modules_object_t:lnk_file r_file_perms;
kernel_getattr_core(bootloader_t)
kernel_read_system_state(bootloader_t)
kernel_read_software_raid_state(bootloader_t)
kernel_read_kernel_sysctl(bootloader_t)
storage_raw_read_fixed_disk(bootloader_t)
storage_raw_write_fixed_disk(bootloader_t)
storage_raw_read_removable_device(bootloader_t)
storage_raw_write_removable_device(bootloader_t)
dev_getattr_all_chr_files(bootloader_t)
dev_setattr_all_blk_files(bootloader_t)
dev_dontaudit_rw_generic_dev_nodes(bootloader_t)
dev_read_rand(bootloader_t)
dev_read_urand(bootloader_t)
# for reading BIOS data
dev_read_raw_memory(bootloader_t)
fs_getattr_xattr_fs(bootloader_t)
term_getattr_all_user_ttys(bootloader_t)
init_getattr_initctl(bootloader_t)
init_use_script_pty(bootloader_t)
init_use_script_fd(bootloader_t)
domain_use_wide_inherit_fd(bootloader_t)
libs_use_ld_so(bootloader_t)
libs_use_shared_libs(bootloader_t)
libs_read_lib(bootloader_t)
files_read_generic_etc_files(bootloader_t)
files_read_etc_runtime_files(bootloader_t)
files_read_usr_src(bootloader_t)
files_read_usr_files(bootloader_t)
# for nscd
files_dontaudit_search_pids(bootloader_t)
corecmd_exec_bin(bootloader_t)
corecmd_exec_sbin(bootloader_t)
corecmd_exec_shell(bootloader_t)
logging_send_syslog_msg(bootloader_t)
logging_rw_generic_logs(bootloader_t)
miscfiles_read_localization(bootloader_t)
seutil_read_binary_pol(bootloader_t)
seutil_read_loadpol(bootloader_t)
ifdef(`distro_debian', `
allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink };
allow bootloader_t boot_t:file relabelfrom;
')
ifdef(`distro_redhat', `
# for memlock
allow bootloader_t self:capability ipc_lock;
# new file system defaults to file_t, granting file_t access is still bad.
allow bootloader_t boot_runtime_t:file { r_file_perms unlink };
# mkinitrd mount initrd on bootloader temp dir
files_mountpoint(bootloader_tmp_t)
# for mke2fs
mount_domtrans(bootloader_t)
')
optional_policy(`filesystemtools.te', `
filesystemtools_execute(bootloader_t)
')
# LVM2 / Device Mapper's /dev/mapper/control
# maybe we should change the labeling for this
optional_policy(`lvm.te', `
dev_rw_lvm_control(bootloader_t)
lvm_domtrans(bootloader_t)
lvm_read_config(bootloader_t)
')
optional_policy(`modutils.te',`
modutils_exec_insmod(insmod_t)
modutils_read_kernel_module_dependencies(bootloader_t)
modutils_read_module_conf(bootloader_t)
modutils_exec_insmod(bootloader_t)
modutils_exec_depmod(bootloader_t)
modutils_exec_update_mods(bootloader_t)
')
ifdef(`TODO',`
allow bootloader_t initrc_t:fifo_file { read write };
allow bootloader_t sysfs_t:dir getattr;
allow bootloader_t var_t:dir search;
allow bootloader_t var_t:file { getattr read };
ifdef(`distro_debian', `
allow bootloader_t { usr_t lib_t fsadm_exec_t }:file relabelto;
allow bootloader_t { usr_t lib_t fsadm_exec_t }:file create_file_perms;
allow bootloader_t tmpfs_t:dir r_dir_perms;
allow bootloader_t initrc_var_run_t:dir r_dir_perms;
allow bootloader_t var_lib_t:dir search;
allow bootloader_t dpkg_var_lib_t:dir r_dir_perms;
allow bootloader_t dpkg_var_lib_t:file { getattr read };
# for /usr/share/initrd-tools/scripts
can_exec(bootloader_t, usr_t)
')
ifdef(`distro_redhat', `
# new file system defaults to file_t, granting file_t access is still bad.
allow bootloader_t file_t:dir create_dir_perms;
allow bootloader_t file_t:{ file blk_file chr_file } create_file_perms;
allow bootloader_t file_t:lnk_file create_lnk_perms;
')
dontaudit bootloader_t selinux_config_t:dir search;
dontaudit bootloader_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
dontaudit bootloader_t devpts_t:dir create_dir_perms;
') dnl end TODO