217 lines
6.1 KiB
Plaintext
217 lines
6.1 KiB
Plaintext
|
|
policy_module(bootloader,1.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
attribute rw_kern_modules;
|
|
|
|
#
|
|
# boot_t is the type for files in /boot
|
|
#
|
|
type boot_t;
|
|
files_file_type(boot_t)
|
|
files_mountpoint(boot_t)
|
|
|
|
#
|
|
# boot_runtime_t is the type for /boot/kernel.h,
|
|
# which is automatically generated at boot time.
|
|
# only for Red Hat
|
|
#
|
|
type boot_runtime_t;
|
|
files_file_type(boot_runtime_t)
|
|
|
|
type bootloader_t;
|
|
domain_type(bootloader_t)
|
|
role system_r types bootloader_t;
|
|
|
|
type bootloader_exec_t;
|
|
domain_entry_file(bootloader_t,bootloader_exec_t)
|
|
|
|
#
|
|
# bootloader_etc_t is the configuration file,
|
|
# grub.conf, lilo.conf, etc.
|
|
#
|
|
type bootloader_etc_t alias etc_bootloader_t;
|
|
files_file_type(bootloader_etc_t)
|
|
|
|
#
|
|
# The temp file is used for initrd creation;
|
|
# it consists of files and device nodes
|
|
#
|
|
type bootloader_tmp_t;
|
|
files_tmp_file(bootloader_tmp_t)
|
|
dev_node(bootloader_tmp_t)
|
|
|
|
# kernel modules
|
|
type modules_object_t;
|
|
files_file_type(modules_object_t)
|
|
|
|
neverallow ~rw_kern_modules modules_object_t:file { create append write };
|
|
|
|
#
|
|
# system_map_t is for the system.map files in /boot
|
|
#
|
|
type system_map_t;
|
|
files_file_type(system_map_t)
|
|
|
|
########################################
|
|
#
|
|
# bootloader local policy
|
|
#
|
|
|
|
allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin mknod chown };
|
|
allow bootloader_t self:process { sigkill sigstop signull signal };
|
|
allow bootloader_t self:fifo_file { getattr read write };
|
|
|
|
allow bootloader_t boot_t:dir ra_dir_perms;
|
|
allow bootloader_t boot_t:file { rw_file_perms create };
|
|
allow bootloader_t boot_t:lnk_file { r_file_perms create unlink };
|
|
|
|
allow bootloader_t bootloader_etc_t:file r_file_perms;
|
|
# uncomment the following lines if you use "lilo -p"
|
|
#allow bootloader_t bootloader_etc_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
|
#files_create_etc_config(bootloader_t,bootloader_etc_t)
|
|
|
|
allow bootloader_t bootloader_tmp_t:dir create_dir_perms;
|
|
allow bootloader_t bootloader_tmp_t:file create_file_perms;
|
|
allow bootloader_t bootloader_tmp_t:chr_file create_file_perms;
|
|
allow bootloader_t bootloader_tmp_t:blk_file create_file_perms;
|
|
allow bootloader_t bootloader_tmp_t:lnk_file create_lnk_perms;
|
|
files_create_tmp_files(bootloader_t,bootloader_tmp_t,{ dir file lnk_file chr_file blk_file })
|
|
# for tune2fs (cjp: ?)
|
|
files_create_root(bootloader_t,bootloader_tmp_t)
|
|
|
|
allow bootloader_t modules_object_t:dir r_dir_perms;
|
|
allow bootloader_t modules_object_t:file r_file_perms;
|
|
allow bootloader_t modules_object_t:lnk_file r_file_perms;
|
|
|
|
kernel_getattr_core(bootloader_t)
|
|
kernel_read_system_state(bootloader_t)
|
|
kernel_read_software_raid_state(bootloader_t)
|
|
kernel_read_kernel_sysctl(bootloader_t)
|
|
|
|
storage_raw_read_fixed_disk(bootloader_t)
|
|
storage_raw_write_fixed_disk(bootloader_t)
|
|
storage_raw_read_removable_device(bootloader_t)
|
|
storage_raw_write_removable_device(bootloader_t)
|
|
|
|
dev_getattr_all_chr_files(bootloader_t)
|
|
dev_setattr_all_blk_files(bootloader_t)
|
|
dev_dontaudit_rw_generic_dev_nodes(bootloader_t)
|
|
dev_read_rand(bootloader_t)
|
|
dev_read_urand(bootloader_t)
|
|
# for reading BIOS data
|
|
dev_read_raw_memory(bootloader_t)
|
|
|
|
fs_getattr_xattr_fs(bootloader_t)
|
|
|
|
term_getattr_all_user_ttys(bootloader_t)
|
|
|
|
init_getattr_initctl(bootloader_t)
|
|
init_use_script_pty(bootloader_t)
|
|
init_use_script_fd(bootloader_t)
|
|
|
|
domain_use_wide_inherit_fd(bootloader_t)
|
|
|
|
libs_use_ld_so(bootloader_t)
|
|
libs_use_shared_libs(bootloader_t)
|
|
libs_read_lib(bootloader_t)
|
|
|
|
files_read_generic_etc_files(bootloader_t)
|
|
files_read_etc_runtime_files(bootloader_t)
|
|
files_read_usr_src(bootloader_t)
|
|
files_read_usr_files(bootloader_t)
|
|
# for nscd
|
|
files_dontaudit_search_pids(bootloader_t)
|
|
|
|
corecmd_exec_bin(bootloader_t)
|
|
corecmd_exec_sbin(bootloader_t)
|
|
corecmd_exec_shell(bootloader_t)
|
|
|
|
logging_send_syslog_msg(bootloader_t)
|
|
logging_rw_generic_logs(bootloader_t)
|
|
|
|
miscfiles_read_localization(bootloader_t)
|
|
|
|
selinux_read_binary_pol(bootloader_t)
|
|
selinux_read_loadpol(bootloader_t)
|
|
|
|
ifdef(`distro_debian', `
|
|
allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
|
|
allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink };
|
|
allow bootloader_t boot_t:file relabelfrom;
|
|
')
|
|
|
|
ifdef(`distro_redhat', `
|
|
# for memlock
|
|
allow bootloader_t self:capability ipc_lock;
|
|
|
|
# new file system defaults to file_t, granting file_t access is still bad.
|
|
allow bootloader_t boot_runtime_t:file { r_file_perms unlink };
|
|
|
|
# mkinitrd mount initrd on bootloader temp dir
|
|
files_mountpoint(bootloader_tmp_t)
|
|
|
|
# for mke2fs
|
|
mount_domtrans(bootloader_t)
|
|
')
|
|
|
|
optional_policy(`filesystemtools.te', `
|
|
filesystemtools_execute(bootloader_t)
|
|
')
|
|
|
|
# LVM2 / Device Mapper's /dev/mapper/control
|
|
# maybe we should change the labeling for this
|
|
optional_policy(`lvm.te', `
|
|
dev_rw_lvm_control(bootloader_t)
|
|
|
|
lvm_domtrans(bootloader_t)
|
|
lvm_read_config(bootloader_t)
|
|
')
|
|
|
|
optional_policy(`modutils.te',`
|
|
modutils_exec_insmod(insmod_t)
|
|
modutils_read_kernel_module_dependencies(bootloader_t)
|
|
modutils_read_module_conf(bootloader_t)
|
|
modutils_exec_insmod(bootloader_t)
|
|
modutils_exec_depmod(bootloader_t)
|
|
modutils_exec_update_mods(bootloader_t)
|
|
')
|
|
|
|
ifdef(`TODO',`
|
|
|
|
allow bootloader_t initrc_t:fifo_file { read write };
|
|
|
|
allow bootloader_t sysfs_t:dir getattr;
|
|
|
|
allow bootloader_t var_t:dir search;
|
|
allow bootloader_t var_t:file { getattr read };
|
|
|
|
ifdef(`distro_debian', `
|
|
allow bootloader_t { usr_t lib_t fsadm_exec_t }:file relabelto;
|
|
allow bootloader_t { usr_t lib_t fsadm_exec_t }:file create_file_perms;
|
|
allow bootloader_t tmpfs_t:dir r_dir_perms;
|
|
allow bootloader_t initrc_var_run_t:dir r_dir_perms;
|
|
allow bootloader_t var_lib_t:dir search;
|
|
allow bootloader_t dpkg_var_lib_t:dir r_dir_perms;
|
|
allow bootloader_t dpkg_var_lib_t:file { getattr read };
|
|
|
|
# for /usr/share/initrd-tools/scripts
|
|
can_exec(bootloader_t, usr_t)
|
|
')
|
|
|
|
ifdef(`distro_redhat', `
|
|
# new file system defaults to file_t, granting file_t access is still bad.
|
|
allow bootloader_t file_t:dir create_dir_perms;
|
|
allow bootloader_t file_t:{ file blk_file chr_file } create_file_perms;
|
|
allow bootloader_t file_t:lnk_file create_lnk_perms;
|
|
')
|
|
|
|
dontaudit bootloader_t selinux_config_t:dir search;
|
|
dontaudit bootloader_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
|
|
dontaudit bootloader_t devpts_t:dir create_dir_perms;
|
|
') dnl end TODO
|