diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
index 224ca76604..08a5401150 100644
--- a/policy/modules/admin/bootloader.fc
+++ b/policy/modules/admin/bootloader.fc
@@ -9,11 +9,24 @@
/usr/bin/grub2?-install -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/usr/bin/grub2?-mkconfig -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/usr/bin/grub2?-probe -- gen_context(system_u:object_r:bootloader_exec_t,s0)
-/usr/bin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/bin/kernel-install -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/usr/bin/mkrlconf -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/usr/bin/mvrefind -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/usr/bin/refind-install -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/usr/bin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/sbin/bootctl -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/sbin/efibootmgr -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/sbin/grub2?-bios-setup -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/sbin/grub2?-install -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/sbin/grub2?-mkconfig -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/sbin/grub2?-probe -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/sbin/mkrlconf -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/sbin/mkinitramfs -- gen_context(system_u:object_r:mkinitramfs_exec_t,s0)
+/usr/sbin/mvrefind -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/sbin/refind-install -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/sbin/update-initramfs -- gen_context(system_u:object_r:mkinitramfs_exec_t,s0)
+/usr/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/var/lib/os-prober(/.*)? gen_context(system_u:object_r:bootloader_tmp_t,s0)
diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if
index 185f749ce9..d8b158ff44 100644
--- a/policy/modules/admin/bootloader.if
+++ b/policy/modules/admin/bootloader.if
@@ -2,7 +2,7 @@
########################################
##
-## Execute bootloader in the bootloader domain.
+## Execute bootloader and mkinitramfs in their domains.
##
##
##
@@ -13,10 +13,12 @@
interface(`bootloader_domtrans',`
gen_require(`
type bootloader_t, bootloader_exec_t;
+ type mkinitramfs_t, mkinitramfs_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, bootloader_exec_t, bootloader_t)
+ domtrans_pattern($1, mkinitramfs_exec_t, mkinitramfs_t)
')
########################################
@@ -105,7 +107,7 @@ interface(`bootloader_rw_config',`
########################################
##
## Read and write the bootloader
-## temporary data in /tmp.
+## temporary files in /tmp.
##
##
##
@@ -122,6 +124,27 @@ interface(`bootloader_rw_tmp_files',`
allow $1 bootloader_tmp_t:file rw_file_perms;
')
+########################################
+##
+## Manage the bootloader temporary files in /tmp.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`bootloader_manage_tmp_files',`
+ gen_require(`
+ type bootloader_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 bootloader_tmp_t:lnk_file read;
+ allow $1 bootloader_tmp_t:dir rw_dir_perms;
+ allow $1 bootloader_tmp_t:file manage_file_perms;
+')
+
########################################
##
## Create, read and write the bootloader
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index 86a94ddd67..e8b2045ce1 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -8,6 +8,7 @@ policy_module(bootloader)
attribute_role bootloader_roles;
roleattribute system_r bootloader_roles;
+ifdef(`distro_redhat',`
#
# boot_runtime_t is the type for /boot/kernel.h,
# which is automatically generated at boot time.
@@ -15,12 +16,18 @@ roleattribute system_r bootloader_roles;
#
type boot_runtime_t;
files_type(boot_runtime_t)
+')
type bootloader_t;
type bootloader_exec_t;
application_domain(bootloader_t, bootloader_exec_t)
role bootloader_roles types bootloader_t;
+type mkinitramfs_t;
+type mkinitramfs_exec_t;
+application_domain(mkinitramfs_t, mkinitramfs_exec_t)
+role bootloader_roles types mkinitramfs_t;
+
#
# bootloader_etc_t is the configuration file,
# grub.conf, lilo.conf, etc.
@@ -43,13 +50,10 @@ dev_node(bootloader_tmp_t)
allow bootloader_t self:capability { chown dac_override dac_read_search fsetid mknod setgid sys_admin sys_rawio };
dontaudit bootloader_t self:capability { net_admin sys_resource };
-allow bootloader_t self:process { execmem getsched signal_perms };
+allow bootloader_t self:process { execmem getsched getcap signal_perms };
allow bootloader_t self:fifo_file rw_fifo_file_perms;
allow bootloader_t bootloader_etc_t:file read_file_perms;
-# uncomment the following lines if you use "lilo -p"
-#allow bootloader_t bootloader_etc_t:file manage_file_perms;
-#files_etc_filetrans(bootloader_t,bootloader_etc_t,file)
manage_dirs_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t)
manage_files_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t)
@@ -61,11 +65,15 @@ allow bootloader_t bootloader_tmp_t:dir mounton;
# for tune2fs (cjp: ?)
files_root_filetrans(bootloader_t, bootloader_tmp_t, file)
+domain_auto_transition_pattern(bootloader_t, mkinitramfs_exec_t, mkinitramfs_t)
+allow mkinitramfs_t bootloader_t:fd use;
+
kernel_getattr_core_if(bootloader_t)
kernel_read_network_state(bootloader_t)
kernel_read_system_state(bootloader_t)
kernel_read_software_raid_state(bootloader_t)
kernel_read_kernel_sysctls(bootloader_t)
+kernel_read_vm_overcommit_sysctl(bootloader_t)
kernel_search_debugfs(bootloader_t)
kernel_setsched(bootloader_t)
kernel_dontaudit_getattr_proc(bootloader_t)
@@ -98,6 +106,7 @@ fs_getattr_tmpfs(bootloader_t)
fs_read_tmpfs_symlinks(bootloader_t)
#Needed for EFI
fs_getattr_efivarfs(bootloader_t)
+fs_manage_dos_dirs(bootloader_t)
fs_manage_dos_files(bootloader_t)
fs_mmap_read_dos_files(bootloader_t)
fs_search_cgroup_dirs(bootloader_t)
@@ -176,17 +185,13 @@ userdom_dontaudit_manage_user_home_dirs(bootloader_t)
userdom_dontaudit_write_user_home_content_files(bootloader_t)
ifdef(`distro_debian',`
+ # for /usr/lib/kernel/install.d/50-depmod.install
+ files_delete_kernel_modules(bootloader_t)
+ modutils_delete_module_deps(bootloader_t)
+
allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
fs_list_tmpfs(bootloader_t)
- files_relabel_kernel_modules(bootloader_t)
- files_relabelfrom_boot_files(bootloader_t)
- files_delete_kernel_modules(bootloader_t)
- files_relabelto_usr_files(bootloader_t)
- files_search_var_lib(bootloader_t)
- # for /usr/share/initrd-tools/scripts
- files_exec_usr_files(bootloader_t)
-
fstools_manage_entry_files(bootloader_t)
fstools_relabelto_entry_files(bootloader_t)
@@ -243,6 +248,10 @@ optional_policy(`
fstools_exec(bootloader_t)
')
+optional_policy(`
+ fwupd_read_var_file(bootloader_t)
+')
+
optional_policy(`
gpm_getattr_gpmctl(bootloader_t)
')
@@ -271,3 +280,109 @@ optional_policy(`
optional_policy(`
rpm_rw_pipes(bootloader_t)
')
+
+
+########################################
+#
+# mkinitramfs local policy
+#
+
+allow mkinitramfs_t self:capability sys_chroot;
+allow mkinitramfs_t self:process getsched;
+allow mkinitramfs_t self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(mkinitramfs_t, bootloader_tmp_t, bootloader_tmp_t)
+manage_files_pattern(mkinitramfs_t, bootloader_tmp_t, bootloader_tmp_t)
+manage_lnk_files_pattern(mkinitramfs_t, bootloader_tmp_t, bootloader_tmp_t)
+files_tmp_filetrans(mkinitramfs_t, bootloader_tmp_t, { file dir })
+allow mkinitramfs_t bootloader_tmp_t:file relabelfrom;
+allow mkinitramfs_t bootloader_tmp_t:lnk_file relabelfrom;
+can_exec(mkinitramfs_t, bootloader_tmp_t)
+
+# /usr/share/initramfs-tools/hooks/keymap calls setupcon which uses /run for temp files
+files_runtime_filetrans(mkinitramfs_t, bootloader_tmp_t, file)
+
+can_exec(mkinitramfs_t, mkinitramfs_exec_t)
+
+domain_auto_transition_pattern(mkinitramfs_t, bootloader_exec_t, bootloader_t)
+allow bootloader_t mkinitramfs_t:fd use;
+
+kernel_read_kernel_sysctls(mkinitramfs_t)
+kernel_read_system_state(mkinitramfs_t)
+kernel_read_vm_overcommit_sysctl(mkinitramfs_t)
+
+dev_read_sysfs(mkinitramfs_t)
+dev_read_urand(mkinitramfs_t)
+domain_obj_id_change_exemption(mkinitramfs_t)
+
+consolesetup_read_conf(mkinitramfs_t)
+
+corecmd_exec_bin(mkinitramfs_t)
+corecmd_exec_shell(mkinitramfs_t)
+
+domain_use_interactive_fds(mkinitramfs_t)
+userdom_use_inherited_user_terminals(mkinitramfs_t)
+
+files_exec_usr_files(mkinitramfs_t)
+files_manage_boot_files(mkinitramfs_t)
+files_manage_kernel_modules(mkinitramfs_t)
+files_read_etc_files(mkinitramfs_t)
+files_read_kernel_modules(mkinitramfs_t)
+files_relabel_kernel_modules(mkinitramfs_t)
+files_search_var_lib(mkinitramfs_t)
+
+fs_list_efivars(mkinitramfs_t)
+fs_read_efivarfs_files(mkinitramfs_t)
+fs_read_cgroup_symlinks(mkinitramfs_t)
+fstools_exec(mkinitramfs_t)
+fstools_manage_runtime_files(mkinitramfs_t)
+
+libs_exec_ld_so(mkinitramfs_t)
+libs_exec_ldconfig(mkinitramfs_t)
+libs_exec_lib_files(mkinitramfs_t)
+libs_manage_lib_files(mkinitramfs_t)
+libs_relabelto_lib_files(mkinitramfs_t)
+
+miscfiles_read_localization(mkinitramfs_t)
+
+modutils_domtrans(mkinitramfs_t)
+modutils_read_module_config(mkinitramfs_t)
+modutils_read_module_deps(mkinitramfs_t)
+mount_domtrans(mkinitramfs_t)
+
+storage_raw_read_fixed_disk(mkinitramfs_t)
+sysnet_read_config(mkinitramfs_t)
+
+term_getattr_unallocated_ttys(mkinitramfs_t)
+
+udev_read_rules_files(mkinitramfs_t)
+
+userdom_dontaudit_getattr_user_home_dirs(mkinitramfs_t)
+
+optional_policy(`
+ dpkg_exec(mkinitramfs_t)
+')
+
+optional_policy(`
+ loadkeys_exec(mkinitramfs_t)
+')
+
+optional_policy(`
+ lvm_domtrans(mkinitramfs_t)
+ lvm_manage_config(mkinitramfs_t)
+')
+
+optional_policy(`
+ raid_domtrans_mdadm(mkinitramfs_t)
+')
+
+optional_policy(`
+ udev_domtrans(mkinitramfs_t)
+')
+
+ifdef(`distro_debian',`
+ optional_policy(`
+ apt_use_fds(mkinitramfs_t)
+ apt_use_ptys(mkinitramfs_t)
+ ')
+')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 59164d5c6f..d13a93861f 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -51,6 +51,8 @@ ifdef(`distro_redhat',`
/etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:bin_t,s0)
/etc/hotplug\.d/default/default.* gen_context(system_u:object_r:bin_t,s0)
+/etc/initramfs/post-update\.d/[^/]+ -- gen_context(system_u:object_r:bin_t,s0)
+
/etc/kde/env(/.*)? gen_context(system_u:object_r:bin_t,s0)
/etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/system/fwupd.if b/policy/modules/system/fwupd.if
index be3d0bd10f..b3474d7cc4 100644
--- a/policy/modules/system/fwupd.if
+++ b/policy/modules/system/fwupd.if
@@ -34,3 +34,23 @@ interface(`fwupd_run',`
domtrans_pattern($1, fwupdmgr_exec_t, fwupdmgr_t)
roleattribute $2 fwupdmgr_roles;
')
+
+########################################
+##
+## Read /var/lib/fwupd/* files
+##
+##
+##
+## Domain allowed to read
+##
+##
+##
+#
+interface(`fwupd_read_var_file',`
+ gen_require(`
+ type fwupd_var_lib_t;
+ ')
+
+ allow $1 fwupd_var_lib_t:dir search;
+ allow $1 fwupd_var_lib_t:file read_file_perms;
+')
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
index 09e782c6f3..9bb83fded2 100644
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
@@ -38,6 +38,24 @@ interface(`modutils_read_module_deps',`
allow $1 modules_dep_t:file { map read_file_perms };
')
+########################################
+##
+## rm kernel dependency files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`modutils_delete_module_deps',`
+ gen_require(`
+ type modules_dep_t;
+ ')
+
+ allow $1 modules_dep_t:file unlink;
+')
+
########################################
##
## Read the configuration options used when
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index fa06e9ec37..e564b1bc41 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -133,11 +133,6 @@ optional_policy(`
alsa_domtrans(kmod_t)
')
-optional_policy(`
- apt_use_fds(kmod_t)
- apt_use_ptys(kmod_t)
-')
-
optional_policy(`
# for postinst of a new kernel package
dpkg_manage_script_tmp_files(kmod_t)
@@ -147,6 +142,10 @@ optional_policy(`
apt_use_ptys(kmod_t)
')
+optional_policy(`
+ bootloader_manage_tmp_files(kmod_t)
+')
+
optional_policy(`
firstboot_dontaudit_rw_pipes(kmod_t)
firstboot_dontaudit_rw_stream_sockets(kmod_t)
diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te
index 5a67f08ee3..b74fcfc531 100644
--- a/policy/modules/system/raid.te
+++ b/policy/modules/system/raid.te
@@ -96,6 +96,11 @@ userdom_use_user_terminals(mdadm_t)
userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
userdom_dontaudit_search_user_home_content(mdadm_t)
+optional_policy(`
+ apt_use_fds(mdadm_t)
+ dpkg_script_rw_inherited_pipes(mdadm_t)
+')
+
optional_policy(`
cron_system_entry(mdadm_t, mdadm_exec_t)
cron_rw_inherited_tmp_files(mdadm_t)
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index e83e0cb95d..d353236134 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -242,6 +242,26 @@ interface(`udev_relabel_rules_files',`
files_search_etc($1)
')
+########################################
+##
+## read udev rules files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`udev_read_rules_files',`
+ gen_require(`
+ type udev_rules_t;
+ ')
+
+ allow $1 udev_rules_t:dir list_dir_perms;
+ allow $1 udev_rules_t:file read_file_perms;
+ files_search_etc($1)
+')
+
########################################
##
## Search through udev runtime dirs.