[gentoo-commits] proj/hardened-refpolicy:usrmerge commit in: policy/modules/admin/

Sun, 05 Feb 2017 07:15:02 -0800 

commit:     00d3bbc82f3b1cb7a7af9b11a4841a2f8db88859
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Feb  5 07:42:30 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb  5 15:10:40 2017 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=00d3bbc8

bootloader: grub needs to manage grub.cfg and read kernels

commit b0c13980d224c49207315154905eb7fcb90f289d
broke grub-mkconfig which needs to be able to update the grub.cfg file.
Remove the fcontext for grub.cfg so it can update the file.

Also, grub needs to be able to read the kernels and symlinks to them so
it can add them to the config.

$ grub-mkconfig -o /boot/grub/grub.cfg
Generating grub configuration file ...
mv: cannot move '/boot/grub/grub.cfg.new' to '/boot/grub/grub.cfg':
Permission denied

type=AVC msg=audit(1486273313.557:26703): avc:  denied  { unlink } for  
pid=10757 comm="mv" name="grub.cfg" dev="md1" ino=10070 
scontext=staff_u:sysadm_r:bootloader_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:bootloader_etc_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1486273313.557:26703): arch=c000003e syscall=82 
success=no exit=-13 a0=3a93725fbef a1=3a93725fc07 a2=0 a3=2 items=4 ppid=9489 
pid=10757 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
tty=pts3 ses=4 comm="mv" exe="/bin/mv" 
subj=staff_u:sysadm_r:bootloader_t:s0-s0:c0.c1023 key=(null)
type=CWD msg=audit(1486273313.557:26703): cwd="/root"
type=PATH msg=audit(1486273313.557:26703): item=0 name="/boot/grub/" 
inode=10041 dev=09:01 mode=040755 ouid=0 ogid=0 rdev=00:00 
obj=system_u:object_r:bootloader_run_t:s0 nametype=PARENT
type=PATH msg=audit(1486273313.557:26703): item=1 name="/boot/grub/" 
inode=10041 dev=09:01 mode=040755 ouid=0 ogid=0 rdev=00:00 
obj=system_u:object_r:bootloader_run_t:s0 nametype=PARENT
type=PATH msg=audit(1486273313.557:26703): item=2 
name="/boot/grub/grub.cfg.new" inode=10072 dev=09:01 mode=0100600 ouid=0 ogid=0 
rdev=00:00 obj=staff_u:object_r:bootloader_run_t:s0 nametype=DELETE
type=PATH msg=audit(1486273313.557:26703): item=3 name="/boot/grub/grub.cfg" 
inode=10070 dev=09:01 mode=0100600 ouid=0 ogid=0 rdev=00:00 
obj=system_u:object_r:bootloader_etc_t:s0 nametype=DELETE

 policy/modules/admin/bootloader.fc | 3 ---
 policy/modules/admin/bootloader.te | 2 ++
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/policy/modules/admin/bootloader.fc 
b/policy/modules/admin/bootloader.fc
index d392595..b7b85b4 100644
--- a/policy/modules/admin/bootloader.fc
+++ b/policy/modules/admin/bootloader.fc
@@ -1,9 +1,6 @@
 /boot/grub.*   -d      gen_context(system_u:object_r:bootloader_run_t,s0)
 /boot/grub.*/.*                
gen_context(system_u:object_r:bootloader_run_t,s0)
 
-/boot/grub.*/grub.cfg  --      
gen_context(system_u:object_r:bootloader_etc_t,s0)
-/boot/grub.*/grub.conf --      
gen_context(system_u:object_r:bootloader_etc_t,s0)
-
 /etc/lilo\.conf.*      --      
gen_context(system_u:object_r:bootloader_etc_t,s0)
 /etc/yaboot\.conf.*    --      
gen_context(system_u:object_r:bootloader_etc_t,s0)
 /etc/grub.d(/.*)?      --      
gen_context(system_u:object_r:bootloader_etc_t,s0)

diff --git a/policy/modules/admin/bootloader.te 
b/policy/modules/admin/bootloader.te
index fd9df5c..3b1a3a0 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -108,6 +108,8 @@ corecmd_exec_all_executables(bootloader_t)
 domain_use_interactive_fds(bootloader_t)
 
 files_create_boot_dirs(bootloader_t)
+files_read_boot_files(bootloader_t)
+files_read_boot_symlinks(bootloader_t)
 files_read_etc_files(bootloader_t)
 files_read_usr_src_files(bootloader_t)
 files_read_usr_files(bootloader_t)

Reply via email to