Skip to content
Open

boot #1157

Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 14 additions & 1 deletion policy/modules/admin/bootloader.fc
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,24 @@
/usr/bin/grub2?-install -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/usr/bin/grub2?-mkconfig -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/usr/bin/grub2?-probe -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/usr/bin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/usr/bin/kernel-install -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/usr/bin/mkrlconf -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/usr/bin/mvrefind -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/usr/bin/refind-install -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/usr/bin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)

/usr/sbin/bootctl -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/usr/sbin/efibootmgr -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/usr/sbin/grub2?-bios-setup -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/usr/sbin/grub2?-install -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/usr/sbin/grub2?-mkconfig -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/usr/sbin/grub2?-probe -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/usr/sbin/mkrlconf -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/usr/sbin/mkinitramfs -- gen_context(system_u:object_r:mkinitramfs_exec_t,s0)
/usr/sbin/mvrefind -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/usr/sbin/refind-install -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/usr/sbin/update-initramfs -- gen_context(system_u:object_r:mkinitramfs_exec_t,s0)
/usr/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)

/var/lib/os-prober(/.*)? gen_context(system_u:object_r:bootloader_tmp_t,s0)
27 changes: 25 additions & 2 deletions policy/modules/admin/bootloader.if
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

########################################
## <summary>
## Execute bootloader in the bootloader domain.
## Execute bootloader and mkinitramfs in their domains.
## </summary>
## <param name="domain">
## <summary>
Expand All @@ -13,10 +13,12 @@
interface(`bootloader_domtrans',`
gen_require(`
type bootloader_t, bootloader_exec_t;
type mkinitramfs_t, mkinitramfs_exec_t;
')

corecmd_search_bin($1)
domtrans_pattern($1, bootloader_exec_t, bootloader_t)
domtrans_pattern($1, mkinitramfs_exec_t, mkinitramfs_t)
')

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think these should be overloaded like this. Additionally, I think mkinitramfs should have its own module.


########################################
Expand Down Expand Up @@ -105,7 +107,7 @@ interface(`bootloader_rw_config',`
########################################
## <summary>
## Read and write the bootloader
## temporary data in /tmp.
## temporary files in /tmp.
## </summary>
## <param name="domain">
## <summary>
Expand All @@ -122,6 +124,27 @@ interface(`bootloader_rw_tmp_files',`
allow $1 bootloader_tmp_t:file rw_file_perms;
')

########################################
## <summary>
## Manage the bootloader temporary files in /tmp.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`bootloader_manage_tmp_files',`
gen_require(`
type bootloader_tmp_t;
')

files_search_tmp($1)
allow $1 bootloader_tmp_t:lnk_file read;
allow $1 bootloader_tmp_t:dir rw_dir_perms;
allow $1 bootloader_tmp_t:file manage_file_perms;
')

########################################
## <summary>
## Create, read and write the bootloader
Expand Down
139 changes: 127 additions & 12 deletions policy/modules/admin/bootloader.te
Original file line number Diff line number Diff line change
Expand Up @@ -8,19 +8,26 @@ policy_module(bootloader)
attribute_role bootloader_roles;
roleattribute system_r bootloader_roles;

ifdef(`distro_redhat',`
#
# boot_runtime_t is the type for /boot/kernel.h,
# which is automatically generated at boot time.
# only for Red Hat
#
type boot_runtime_t;
files_type(boot_runtime_t)
')
Comment on lines +11 to +19

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see this file on any of my Fedora or AlmaLinux systems, so I'd be fine with removing this, with an alias to boot_t.


type bootloader_t;
type bootloader_exec_t;
application_domain(bootloader_t, bootloader_exec_t)
role bootloader_roles types bootloader_t;

type mkinitramfs_t;
type mkinitramfs_exec_t;
application_domain(mkinitramfs_t, mkinitramfs_exec_t)
role bootloader_roles types mkinitramfs_t;

#
# bootloader_etc_t is the configuration file,
# grub.conf, lilo.conf, etc.
Expand All @@ -43,13 +50,10 @@ dev_node(bootloader_tmp_t)

allow bootloader_t self:capability { chown dac_override dac_read_search fsetid mknod setgid sys_admin sys_rawio };
dontaudit bootloader_t self:capability { net_admin sys_resource };
allow bootloader_t self:process { execmem getsched signal_perms };
allow bootloader_t self:process { execmem getsched getcap signal_perms };
allow bootloader_t self:fifo_file rw_fifo_file_perms;

allow bootloader_t bootloader_etc_t:file read_file_perms;
# uncomment the following lines if you use "lilo -p"
#allow bootloader_t bootloader_etc_t:file manage_file_perms;
#files_etc_filetrans(bootloader_t,bootloader_etc_t,file)

manage_dirs_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t)
manage_files_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t)
Expand All @@ -61,11 +65,15 @@ allow bootloader_t bootloader_tmp_t:dir mounton;
# for tune2fs (cjp: ?)
files_root_filetrans(bootloader_t, bootloader_tmp_t, file)

domain_auto_transition_pattern(bootloader_t, mkinitramfs_exec_t, mkinitramfs_t)
allow mkinitramfs_t bootloader_t:fd use;

kernel_getattr_core_if(bootloader_t)
kernel_read_network_state(bootloader_t)
kernel_read_system_state(bootloader_t)
kernel_read_software_raid_state(bootloader_t)
kernel_read_kernel_sysctls(bootloader_t)
kernel_read_vm_overcommit_sysctl(bootloader_t)
kernel_search_debugfs(bootloader_t)
kernel_setsched(bootloader_t)
kernel_dontaudit_getattr_proc(bootloader_t)
Expand Down Expand Up @@ -98,6 +106,7 @@ fs_getattr_tmpfs(bootloader_t)
fs_read_tmpfs_symlinks(bootloader_t)
#Needed for EFI
fs_getattr_efivarfs(bootloader_t)
fs_manage_dos_dirs(bootloader_t)
fs_manage_dos_files(bootloader_t)
fs_mmap_read_dos_files(bootloader_t)
fs_search_cgroup_dirs(bootloader_t)
Expand Down Expand Up @@ -176,17 +185,13 @@ userdom_dontaudit_manage_user_home_dirs(bootloader_t)
userdom_dontaudit_write_user_home_content_files(bootloader_t)

ifdef(`distro_debian',`
# for /usr/lib/kernel/install.d/50-depmod.install
files_delete_kernel_modules(bootloader_t)
modutils_delete_module_deps(bootloader_t)

allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
fs_list_tmpfs(bootloader_t)

files_relabel_kernel_modules(bootloader_t)
files_relabelfrom_boot_files(bootloader_t)
files_delete_kernel_modules(bootloader_t)
files_relabelto_usr_files(bootloader_t)
files_search_var_lib(bootloader_t)
# for /usr/share/initrd-tools/scripts
files_exec_usr_files(bootloader_t)

fstools_manage_entry_files(bootloader_t)
fstools_relabelto_entry_files(bootloader_t)

Expand Down Expand Up @@ -243,6 +248,10 @@ optional_policy(`
fstools_exec(bootloader_t)
')

optional_policy(`
fwupd_read_var_file(bootloader_t)
')

optional_policy(`
gpm_getattr_gpmctl(bootloader_t)
')
Expand Down Expand Up @@ -271,3 +280,109 @@ optional_policy(`
optional_policy(`
rpm_rw_pipes(bootloader_t)
')


########################################
#
# mkinitramfs local policy
#

allow mkinitramfs_t self:capability sys_chroot;
allow mkinitramfs_t self:process getsched;
allow mkinitramfs_t self:fifo_file rw_fifo_file_perms;

manage_dirs_pattern(mkinitramfs_t, bootloader_tmp_t, bootloader_tmp_t)
manage_files_pattern(mkinitramfs_t, bootloader_tmp_t, bootloader_tmp_t)
manage_lnk_files_pattern(mkinitramfs_t, bootloader_tmp_t, bootloader_tmp_t)
files_tmp_filetrans(mkinitramfs_t, bootloader_tmp_t, { file dir })
allow mkinitramfs_t bootloader_tmp_t:file relabelfrom;
allow mkinitramfs_t bootloader_tmp_t:lnk_file relabelfrom;
can_exec(mkinitramfs_t, bootloader_tmp_t)

# /usr/share/initramfs-tools/hooks/keymap calls setupcon which uses /run for temp files
files_runtime_filetrans(mkinitramfs_t, bootloader_tmp_t, file)

can_exec(mkinitramfs_t, mkinitramfs_exec_t)

domain_auto_transition_pattern(mkinitramfs_t, bootloader_exec_t, bootloader_t)
allow bootloader_t mkinitramfs_t:fd use;

kernel_read_kernel_sysctls(mkinitramfs_t)
kernel_read_system_state(mkinitramfs_t)
kernel_read_vm_overcommit_sysctl(mkinitramfs_t)

dev_read_sysfs(mkinitramfs_t)
dev_read_urand(mkinitramfs_t)
domain_obj_id_change_exemption(mkinitramfs_t)

consolesetup_read_conf(mkinitramfs_t)

corecmd_exec_bin(mkinitramfs_t)
corecmd_exec_shell(mkinitramfs_t)

domain_use_interactive_fds(mkinitramfs_t)
userdom_use_inherited_user_terminals(mkinitramfs_t)

files_exec_usr_files(mkinitramfs_t)
files_manage_boot_files(mkinitramfs_t)
files_manage_kernel_modules(mkinitramfs_t)
files_read_etc_files(mkinitramfs_t)
files_read_kernel_modules(mkinitramfs_t)
files_relabel_kernel_modules(mkinitramfs_t)
files_search_var_lib(mkinitramfs_t)

fs_list_efivars(mkinitramfs_t)
fs_read_efivarfs_files(mkinitramfs_t)
fs_read_cgroup_symlinks(mkinitramfs_t)
fstools_exec(mkinitramfs_t)
fstools_manage_runtime_files(mkinitramfs_t)

libs_exec_ld_so(mkinitramfs_t)
libs_exec_ldconfig(mkinitramfs_t)
libs_exec_lib_files(mkinitramfs_t)
libs_manage_lib_files(mkinitramfs_t)
libs_relabelto_lib_files(mkinitramfs_t)

miscfiles_read_localization(mkinitramfs_t)

modutils_domtrans(mkinitramfs_t)
modutils_read_module_config(mkinitramfs_t)
modutils_read_module_deps(mkinitramfs_t)
mount_domtrans(mkinitramfs_t)

storage_raw_read_fixed_disk(mkinitramfs_t)
sysnet_read_config(mkinitramfs_t)

term_getattr_unallocated_ttys(mkinitramfs_t)

udev_read_rules_files(mkinitramfs_t)

userdom_dontaudit_getattr_user_home_dirs(mkinitramfs_t)

optional_policy(`
dpkg_exec(mkinitramfs_t)
')

optional_policy(`
loadkeys_exec(mkinitramfs_t)
')

optional_policy(`
lvm_domtrans(mkinitramfs_t)
lvm_manage_config(mkinitramfs_t)
')

optional_policy(`
raid_domtrans_mdadm(mkinitramfs_t)
')

optional_policy(`
udev_domtrans(mkinitramfs_t)
')

ifdef(`distro_debian',`
optional_policy(`
apt_use_fds(mkinitramfs_t)
apt_use_ptys(mkinitramfs_t)
')
')
2 changes: 2 additions & 0 deletions policy/modules/kernel/corecommands.fc
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,8 @@ ifdef(`distro_redhat',`
/etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:bin_t,s0)
/etc/hotplug\.d/default/default.* gen_context(system_u:object_r:bin_t,s0)

/etc/initramfs/post-update\.d/[^/]+ -- gen_context(system_u:object_r:bin_t,s0)

/etc/kde/env(/.*)? gen_context(system_u:object_r:bin_t,s0)
/etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0)

Expand Down
20 changes: 20 additions & 0 deletions policy/modules/system/fwupd.if
Original file line number Diff line number Diff line change
Expand Up @@ -34,3 +34,23 @@ interface(`fwupd_run',`
domtrans_pattern($1, fwupdmgr_exec_t, fwupdmgr_t)
roleattribute $2 fwupdmgr_roles;
')

########################################
## <summary>
## Read /var/lib/fwupd/* files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to read
## </summary>
## </param>
## <rolecap/>
#
interface(`fwupd_read_var_file',`
gen_require(`
type fwupd_var_lib_t;
')

allow $1 fwupd_var_lib_t:dir search;
allow $1 fwupd_var_lib_t:file read_file_perms;
')
18 changes: 18 additions & 0 deletions policy/modules/system/modutils.if
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,24 @@ interface(`modutils_read_module_deps',`
allow $1 modules_dep_t:file { map read_file_perms };
')

########################################
## <summary>
## rm kernel dependency files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`modutils_delete_module_deps',`
gen_require(`
type modules_dep_t;
')

allow $1 modules_dep_t:file unlink;
')

########################################
## <summary>
## Read the configuration options used when
Expand Down
9 changes: 4 additions & 5 deletions policy/modules/system/modutils.te
Original file line number Diff line number Diff line change
Expand Up @@ -133,11 +133,6 @@ optional_policy(`
alsa_domtrans(kmod_t)
')

optional_policy(`
apt_use_fds(kmod_t)
apt_use_ptys(kmod_t)
')

optional_policy(`
# for postinst of a new kernel package
dpkg_manage_script_tmp_files(kmod_t)
Expand All @@ -147,6 +142,10 @@ optional_policy(`
apt_use_ptys(kmod_t)
')

optional_policy(`
bootloader_manage_tmp_files(kmod_t)
')

optional_policy(`
firstboot_dontaudit_rw_pipes(kmod_t)
firstboot_dontaudit_rw_stream_sockets(kmod_t)
Expand Down
5 changes: 5 additions & 0 deletions policy/modules/system/raid.te
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,11 @@ userdom_use_user_terminals(mdadm_t)
userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
userdom_dontaudit_search_user_home_content(mdadm_t)

optional_policy(`
apt_use_fds(mdadm_t)
dpkg_script_rw_inherited_pipes(mdadm_t)
')

optional_policy(`
cron_system_entry(mdadm_t, mdadm_exec_t)
cron_rw_inherited_tmp_files(mdadm_t)
Expand Down
Loading
Loading