commit: 26534d6388eb4e76eb8dc7c4f35b7d2a80cb45a6
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Feb 11 19:26:48 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 17 08:13:37 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=26534d63
Revert "bootloader: stricter permissions and more tailored file contexts"
This reverts commit b0c13980d224c49207315154905eb7fcb90f289d.
policy/modules/admin/bootloader.fc | 6 ------
policy/modules/admin/bootloader.te | 17 ++++-------------
2 files changed, 4 insertions(+), 19 deletions(-)
diff --git a/policy/modules/admin/bootloader.fc
b/policy/modules/admin/bootloader.fc
index d3925950..cdd6d3dd 100644
--- a/policy/modules/admin/bootloader.fc
+++ b/policy/modules/admin/bootloader.fc
@@ -1,12 +1,6 @@
-/boot/grub.* -d gen_context(system_u:object_r:bootloader_run_t,s0)
-/boot/grub.*/.*
gen_context(system_u:object_r:bootloader_run_t,s0)
-
-/boot/grub.*/grub.cfg --
gen_context(system_u:object_r:bootloader_etc_t,s0)
-/boot/grub.*/grub.conf --
gen_context(system_u:object_r:bootloader_etc_t,s0)
/etc/lilo\.conf.* --
gen_context(system_u:object_r:bootloader_etc_t,s0)
/etc/yaboot\.conf.* --
gen_context(system_u:object_r:bootloader_etc_t,s0)
-/etc/grub.d(/.*)? --
gen_context(system_u:object_r:bootloader_etc_t,s0)
/usr/sbin/grub --
gen_context(system_u:object_r:bootloader_exec_t,s0)
/usr/sbin/grub2?-bios-setup --
gen_context(system_u:object_r:bootloader_exec_t,s0)
diff --git a/policy/modules/admin/bootloader.te
b/policy/modules/admin/bootloader.te
index fd9df5c8..bd69d431 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -22,13 +22,6 @@ application_domain(bootloader_t, bootloader_exec_t)
role bootloader_roles types bootloader_t;
#
-# bootloader_run_t are image and other runtime
-# files
-#
-type bootloader_run_t alias run_bootloader_t;
-files_type(bootloader_run_t)
-
-#
# bootloader_etc_t is the configuration file,
# grub.conf, lilo.conf, etc.
#
@@ -52,7 +45,7 @@ allow bootloader_t self:capability { dac_override
dac_read_search fsetid sys_raw
allow bootloader_t self:process { signal_perms execmem };
allow bootloader_t self:fifo_file rw_fifo_file_perms;
-allow bootloader_t bootloader_etc_t:file exec_file_perms;
+allow bootloader_t bootloader_etc_t:file read_file_perms;
# uncomment the following lines if you use "lilo -p"
#allow bootloader_t bootloader_etc_t:file manage_file_perms;
#files_etc_filetrans(bootloader_t,bootloader_etc_t,file)
@@ -66,11 +59,6 @@ files_tmp_filetrans(bootloader_t, bootloader_tmp_t, { dir
file lnk_file chr_file
# for tune2fs (cjp: ?)
files_root_filetrans(bootloader_t, bootloader_tmp_t, file)
-manage_dirs_pattern(bootloader_t, bootloader_run_t, bootloader_run_t)
-manage_files_pattern(bootloader_t, bootloader_run_t, bootloader_run_t)
-manage_lnk_files_pattern(bootloader_t, bootloader_run_t, bootloader_run_t)
-files_boot_filetrans(bootloader_t, bootloader_run_t, { dir file lnk_file })
-
kernel_getattr_core_if(bootloader_t)
kernel_read_network_state(bootloader_t)
kernel_read_system_state(bootloader_t)
@@ -108,7 +96,10 @@ corecmd_exec_all_executables(bootloader_t)
domain_use_interactive_fds(bootloader_t)
files_create_boot_dirs(bootloader_t)
+files_manage_boot_files(bootloader_t)
+files_manage_boot_symlinks(bootloader_t)
files_read_etc_files(bootloader_t)
+files_exec_etc_files(bootloader_t)
files_read_usr_src_files(bootloader_t)
files_read_usr_files(bootloader_t)
files_read_var_files(bootloader_t)
