diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc index 224ca76604..08a5401150 100644 --- a/policy/modules/admin/bootloader.fc +++ b/policy/modules/admin/bootloader.fc @@ -9,11 +9,24 @@ /usr/bin/grub2?-install -- gen_context(system_u:object_r:bootloader_exec_t,s0) /usr/bin/grub2?-mkconfig -- gen_context(system_u:object_r:bootloader_exec_t,s0) /usr/bin/grub2?-probe -- gen_context(system_u:object_r:bootloader_exec_t,s0) -/usr/bin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) +/usr/bin/kernel-install -- gen_context(system_u:object_r:bootloader_exec_t,s0) /usr/bin/mkrlconf -- gen_context(system_u:object_r:bootloader_exec_t,s0) /usr/bin/mvrefind -- gen_context(system_u:object_r:bootloader_exec_t,s0) /usr/bin/refind-install -- gen_context(system_u:object_r:bootloader_exec_t,s0) /usr/bin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) +/usr/sbin/bootctl -- gen_context(system_u:object_r:bootloader_exec_t,s0) +/usr/sbin/efibootmgr -- gen_context(system_u:object_r:bootloader_exec_t,s0) +/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0) +/usr/sbin/grub2?-bios-setup -- gen_context(system_u:object_r:bootloader_exec_t,s0) +/usr/sbin/grub2?-install -- gen_context(system_u:object_r:bootloader_exec_t,s0) +/usr/sbin/grub2?-mkconfig -- gen_context(system_u:object_r:bootloader_exec_t,s0) +/usr/sbin/grub2?-probe -- gen_context(system_u:object_r:bootloader_exec_t,s0) +/usr/sbin/mkrlconf -- gen_context(system_u:object_r:bootloader_exec_t,s0) +/usr/sbin/mkinitramfs -- gen_context(system_u:object_r:mkinitramfs_exec_t,s0) +/usr/sbin/mvrefind -- gen_context(system_u:object_r:bootloader_exec_t,s0) +/usr/sbin/refind-install -- gen_context(system_u:object_r:bootloader_exec_t,s0) +/usr/sbin/update-initramfs -- gen_context(system_u:object_r:mkinitramfs_exec_t,s0) +/usr/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) /var/lib/os-prober(/.*)? gen_context(system_u:object_r:bootloader_tmp_t,s0) diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if index 185f749ce9..d8b158ff44 100644 --- a/policy/modules/admin/bootloader.if +++ b/policy/modules/admin/bootloader.if @@ -2,7 +2,7 @@ ######################################## ## -## Execute bootloader in the bootloader domain. +## Execute bootloader and mkinitramfs in their domains. ## ## ## @@ -13,10 +13,12 @@ interface(`bootloader_domtrans',` gen_require(` type bootloader_t, bootloader_exec_t; + type mkinitramfs_t, mkinitramfs_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, bootloader_exec_t, bootloader_t) + domtrans_pattern($1, mkinitramfs_exec_t, mkinitramfs_t) ') ######################################## @@ -105,7 +107,7 @@ interface(`bootloader_rw_config',` ######################################## ## ## Read and write the bootloader -## temporary data in /tmp. +## temporary files in /tmp. ## ## ## @@ -122,6 +124,27 @@ interface(`bootloader_rw_tmp_files',` allow $1 bootloader_tmp_t:file rw_file_perms; ') +######################################## +## +## Manage the bootloader temporary files in /tmp. +## +## +## +## Domain allowed access. +## +## +# +interface(`bootloader_manage_tmp_files',` + gen_require(` + type bootloader_tmp_t; + ') + + files_search_tmp($1) + allow $1 bootloader_tmp_t:lnk_file read; + allow $1 bootloader_tmp_t:dir rw_dir_perms; + allow $1 bootloader_tmp_t:file manage_file_perms; +') + ######################################## ## ## Create, read and write the bootloader diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index 86a94ddd67..e8b2045ce1 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -8,6 +8,7 @@ policy_module(bootloader) attribute_role bootloader_roles; roleattribute system_r bootloader_roles; +ifdef(`distro_redhat',` # # boot_runtime_t is the type for /boot/kernel.h, # which is automatically generated at boot time. @@ -15,12 +16,18 @@ roleattribute system_r bootloader_roles; # type boot_runtime_t; files_type(boot_runtime_t) +') type bootloader_t; type bootloader_exec_t; application_domain(bootloader_t, bootloader_exec_t) role bootloader_roles types bootloader_t; +type mkinitramfs_t; +type mkinitramfs_exec_t; +application_domain(mkinitramfs_t, mkinitramfs_exec_t) +role bootloader_roles types mkinitramfs_t; + # # bootloader_etc_t is the configuration file, # grub.conf, lilo.conf, etc. @@ -43,13 +50,10 @@ dev_node(bootloader_tmp_t) allow bootloader_t self:capability { chown dac_override dac_read_search fsetid mknod setgid sys_admin sys_rawio }; dontaudit bootloader_t self:capability { net_admin sys_resource }; -allow bootloader_t self:process { execmem getsched signal_perms }; +allow bootloader_t self:process { execmem getsched getcap signal_perms }; allow bootloader_t self:fifo_file rw_fifo_file_perms; allow bootloader_t bootloader_etc_t:file read_file_perms; -# uncomment the following lines if you use "lilo -p" -#allow bootloader_t bootloader_etc_t:file manage_file_perms; -#files_etc_filetrans(bootloader_t,bootloader_etc_t,file) manage_dirs_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t) manage_files_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t) @@ -61,11 +65,15 @@ allow bootloader_t bootloader_tmp_t:dir mounton; # for tune2fs (cjp: ?) files_root_filetrans(bootloader_t, bootloader_tmp_t, file) +domain_auto_transition_pattern(bootloader_t, mkinitramfs_exec_t, mkinitramfs_t) +allow mkinitramfs_t bootloader_t:fd use; + kernel_getattr_core_if(bootloader_t) kernel_read_network_state(bootloader_t) kernel_read_system_state(bootloader_t) kernel_read_software_raid_state(bootloader_t) kernel_read_kernel_sysctls(bootloader_t) +kernel_read_vm_overcommit_sysctl(bootloader_t) kernel_search_debugfs(bootloader_t) kernel_setsched(bootloader_t) kernel_dontaudit_getattr_proc(bootloader_t) @@ -98,6 +106,7 @@ fs_getattr_tmpfs(bootloader_t) fs_read_tmpfs_symlinks(bootloader_t) #Needed for EFI fs_getattr_efivarfs(bootloader_t) +fs_manage_dos_dirs(bootloader_t) fs_manage_dos_files(bootloader_t) fs_mmap_read_dos_files(bootloader_t) fs_search_cgroup_dirs(bootloader_t) @@ -176,17 +185,13 @@ userdom_dontaudit_manage_user_home_dirs(bootloader_t) userdom_dontaudit_write_user_home_content_files(bootloader_t) ifdef(`distro_debian',` + # for /usr/lib/kernel/install.d/50-depmod.install + files_delete_kernel_modules(bootloader_t) + modutils_delete_module_deps(bootloader_t) + allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto }; fs_list_tmpfs(bootloader_t) - files_relabel_kernel_modules(bootloader_t) - files_relabelfrom_boot_files(bootloader_t) - files_delete_kernel_modules(bootloader_t) - files_relabelto_usr_files(bootloader_t) - files_search_var_lib(bootloader_t) - # for /usr/share/initrd-tools/scripts - files_exec_usr_files(bootloader_t) - fstools_manage_entry_files(bootloader_t) fstools_relabelto_entry_files(bootloader_t) @@ -243,6 +248,10 @@ optional_policy(` fstools_exec(bootloader_t) ') +optional_policy(` + fwupd_read_var_file(bootloader_t) +') + optional_policy(` gpm_getattr_gpmctl(bootloader_t) ') @@ -271,3 +280,109 @@ optional_policy(` optional_policy(` rpm_rw_pipes(bootloader_t) ') + + +######################################## +# +# mkinitramfs local policy +# + +allow mkinitramfs_t self:capability sys_chroot; +allow mkinitramfs_t self:process getsched; +allow mkinitramfs_t self:fifo_file rw_fifo_file_perms; + +manage_dirs_pattern(mkinitramfs_t, bootloader_tmp_t, bootloader_tmp_t) +manage_files_pattern(mkinitramfs_t, bootloader_tmp_t, bootloader_tmp_t) +manage_lnk_files_pattern(mkinitramfs_t, bootloader_tmp_t, bootloader_tmp_t) +files_tmp_filetrans(mkinitramfs_t, bootloader_tmp_t, { file dir }) +allow mkinitramfs_t bootloader_tmp_t:file relabelfrom; +allow mkinitramfs_t bootloader_tmp_t:lnk_file relabelfrom; +can_exec(mkinitramfs_t, bootloader_tmp_t) + +# /usr/share/initramfs-tools/hooks/keymap calls setupcon which uses /run for temp files +files_runtime_filetrans(mkinitramfs_t, bootloader_tmp_t, file) + +can_exec(mkinitramfs_t, mkinitramfs_exec_t) + +domain_auto_transition_pattern(mkinitramfs_t, bootloader_exec_t, bootloader_t) +allow bootloader_t mkinitramfs_t:fd use; + +kernel_read_kernel_sysctls(mkinitramfs_t) +kernel_read_system_state(mkinitramfs_t) +kernel_read_vm_overcommit_sysctl(mkinitramfs_t) + +dev_read_sysfs(mkinitramfs_t) +dev_read_urand(mkinitramfs_t) +domain_obj_id_change_exemption(mkinitramfs_t) + +consolesetup_read_conf(mkinitramfs_t) + +corecmd_exec_bin(mkinitramfs_t) +corecmd_exec_shell(mkinitramfs_t) + +domain_use_interactive_fds(mkinitramfs_t) +userdom_use_inherited_user_terminals(mkinitramfs_t) + +files_exec_usr_files(mkinitramfs_t) +files_manage_boot_files(mkinitramfs_t) +files_manage_kernel_modules(mkinitramfs_t) +files_read_etc_files(mkinitramfs_t) +files_read_kernel_modules(mkinitramfs_t) +files_relabel_kernel_modules(mkinitramfs_t) +files_search_var_lib(mkinitramfs_t) + +fs_list_efivars(mkinitramfs_t) +fs_read_efivarfs_files(mkinitramfs_t) +fs_read_cgroup_symlinks(mkinitramfs_t) +fstools_exec(mkinitramfs_t) +fstools_manage_runtime_files(mkinitramfs_t) + +libs_exec_ld_so(mkinitramfs_t) +libs_exec_ldconfig(mkinitramfs_t) +libs_exec_lib_files(mkinitramfs_t) +libs_manage_lib_files(mkinitramfs_t) +libs_relabelto_lib_files(mkinitramfs_t) + +miscfiles_read_localization(mkinitramfs_t) + +modutils_domtrans(mkinitramfs_t) +modutils_read_module_config(mkinitramfs_t) +modutils_read_module_deps(mkinitramfs_t) +mount_domtrans(mkinitramfs_t) + +storage_raw_read_fixed_disk(mkinitramfs_t) +sysnet_read_config(mkinitramfs_t) + +term_getattr_unallocated_ttys(mkinitramfs_t) + +udev_read_rules_files(mkinitramfs_t) + +userdom_dontaudit_getattr_user_home_dirs(mkinitramfs_t) + +optional_policy(` + dpkg_exec(mkinitramfs_t) +') + +optional_policy(` + loadkeys_exec(mkinitramfs_t) +') + +optional_policy(` + lvm_domtrans(mkinitramfs_t) + lvm_manage_config(mkinitramfs_t) +') + +optional_policy(` + raid_domtrans_mdadm(mkinitramfs_t) +') + +optional_policy(` + udev_domtrans(mkinitramfs_t) +') + +ifdef(`distro_debian',` + optional_policy(` + apt_use_fds(mkinitramfs_t) + apt_use_ptys(mkinitramfs_t) + ') +') diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index 59164d5c6f..d13a93861f 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -51,6 +51,8 @@ ifdef(`distro_redhat',` /etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:bin_t,s0) /etc/hotplug\.d/default/default.* gen_context(system_u:object_r:bin_t,s0) +/etc/initramfs/post-update\.d/[^/]+ -- gen_context(system_u:object_r:bin_t,s0) + /etc/kde/env(/.*)? gen_context(system_u:object_r:bin_t,s0) /etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/system/fwupd.if b/policy/modules/system/fwupd.if index be3d0bd10f..b3474d7cc4 100644 --- a/policy/modules/system/fwupd.if +++ b/policy/modules/system/fwupd.if @@ -34,3 +34,23 @@ interface(`fwupd_run',` domtrans_pattern($1, fwupdmgr_exec_t, fwupdmgr_t) roleattribute $2 fwupdmgr_roles; ') + +######################################## +## +## Read /var/lib/fwupd/* files +## +## +## +## Domain allowed to read +## +## +## +# +interface(`fwupd_read_var_file',` + gen_require(` + type fwupd_var_lib_t; + ') + + allow $1 fwupd_var_lib_t:dir search; + allow $1 fwupd_var_lib_t:file read_file_perms; +') diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if index 09e782c6f3..9bb83fded2 100644 --- a/policy/modules/system/modutils.if +++ b/policy/modules/system/modutils.if @@ -38,6 +38,24 @@ interface(`modutils_read_module_deps',` allow $1 modules_dep_t:file { map read_file_perms }; ') +######################################## +## +## rm kernel dependency files +## +## +## +## Domain allowed access. +## +## +# +interface(`modutils_delete_module_deps',` + gen_require(` + type modules_dep_t; + ') + + allow $1 modules_dep_t:file unlink; +') + ######################################## ## ## Read the configuration options used when diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te index fa06e9ec37..e564b1bc41 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -133,11 +133,6 @@ optional_policy(` alsa_domtrans(kmod_t) ') -optional_policy(` - apt_use_fds(kmod_t) - apt_use_ptys(kmod_t) -') - optional_policy(` # for postinst of a new kernel package dpkg_manage_script_tmp_files(kmod_t) @@ -147,6 +142,10 @@ optional_policy(` apt_use_ptys(kmod_t) ') +optional_policy(` + bootloader_manage_tmp_files(kmod_t) +') + optional_policy(` firstboot_dontaudit_rw_pipes(kmod_t) firstboot_dontaudit_rw_stream_sockets(kmod_t) diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te index 5a67f08ee3..b74fcfc531 100644 --- a/policy/modules/system/raid.te +++ b/policy/modules/system/raid.te @@ -96,6 +96,11 @@ userdom_use_user_terminals(mdadm_t) userdom_dontaudit_use_unpriv_user_fds(mdadm_t) userdom_dontaudit_search_user_home_content(mdadm_t) +optional_policy(` + apt_use_fds(mdadm_t) + dpkg_script_rw_inherited_pipes(mdadm_t) +') + optional_policy(` cron_system_entry(mdadm_t, mdadm_exec_t) cron_rw_inherited_tmp_files(mdadm_t) diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if index e83e0cb95d..d353236134 100644 --- a/policy/modules/system/udev.if +++ b/policy/modules/system/udev.if @@ -242,6 +242,26 @@ interface(`udev_relabel_rules_files',` files_search_etc($1) ') +######################################## +## +## read udev rules files +## +## +## +## Domain allowed access. +## +## +# +interface(`udev_read_rules_files',` + gen_require(` + type udev_rules_t; + ') + + allow $1 udev_rules_t:dir list_dir_perms; + allow $1 udev_rules_t:file read_file_perms; + files_search_etc($1) +') + ######################################## ## ## Search through udev runtime dirs.