Tree - rpms/selinux-policy - CentOS Git server

rpms / selinux-policy

Blame strict/domains/program/bootloader.te

Blob History Raw

Chris PeBenito	0fbfa5	`#DESC Bootloader - Lilo boot loader/manager`
Chris PeBenito	0fbfa5	`#`
Chris PeBenito	0fbfa5	`# Author: Russell Coker <russell@coker.com.au>`
Chris PeBenito	0fbfa5	`# X-Debian-Packages: lilo`
Chris PeBenito	0fbfa5	`#`
Chris PeBenito	0fbfa5
Chris PeBenito	0fbfa5	`#################################`
Chris PeBenito	0fbfa5	`#`
Chris PeBenito	0fbfa5	`# Rules for the bootloader_t domain.`
Chris PeBenito	0fbfa5	`#`
Chris PeBenito	0fbfa5	`# bootloader_exec_t is the type of the bootloader executable.`
Chris PeBenito	0fbfa5	`#`
Chris PeBenito	0fbfa5	type bootloader_t, domain, privlog, privmem, fs_domain, nscd_client_domain ifdef(`direct_sysadm_daemon', `, priv_system_role') ifdef(`distro_debian', `, privowner, admin');
Chris PeBenito	0fbfa5	`type bootloader_exec_t, file_type, sysadmfile, exec_type;`
Chris PeBenito	0fbfa5	`etc_domain(bootloader)`
Chris PeBenito	0fbfa5
Chris PeBenito	0fbfa5	`role sysadm_r types bootloader_t;`
Chris PeBenito	0fbfa5	`role system_r types bootloader_t;`
Chris PeBenito	0fbfa5
Chris PeBenito	0fbfa5	`allow bootloader_t var_t:dir search;`
Chris PeBenito	0fbfa5	`create_append_log_file(bootloader_t, var_log_t)`
Chris PeBenito	0fbfa5	`allow bootloader_t var_log_t:file write;`
Chris PeBenito	0fbfa5
Chris PeBenito	0fbfa5	`# for nscd`
Chris PeBenito	0fbfa5	`dontaudit bootloader_t var_run_t:dir search;`
Chris PeBenito	0fbfa5
Chris PeBenito	0fbfa5	`domain_auto_trans(sysadm_t, bootloader_exec_t, bootloader_t)`
Chris PeBenito	0fbfa5	`allow bootloader_t { initrc_t privfd }:fd use;`
Chris PeBenito	0fbfa5
Chris PeBenito	0fbfa5	tmp_domain(bootloader, `, device_type', { dir file lnk_file chr_file blk_file })
Chris PeBenito	0fbfa5
Chris PeBenito	0fbfa5	`read_locale(bootloader_t)`
Chris PeBenito	0fbfa5
Chris PeBenito	0fbfa5	`# for tune2fs`
Chris PeBenito	0fbfa5	`file_type_auto_trans(bootloader_t, root_t, bootloader_tmp_t, file)`
Chris PeBenito	0fbfa5
Chris PeBenito	0fbfa5	`# for /vmlinuz sym link`
Chris PeBenito	0fbfa5	`allow bootloader_t root_t:lnk_file read;`
Chris PeBenito	0fbfa5
Chris PeBenito	0fbfa5	`# lilo would need read access to get BIOS data`
Chris PeBenito	0fbfa5	`allow bootloader_t proc_kcore_t:file getattr;`
Chris PeBenito	0fbfa5
Chris PeBenito	0fbfa5	`allow bootloader_t { etc_t device_t }:dir r_dir_perms;`
Chris PeBenito	0fbfa5	`allow bootloader_t etc_t:file r_file_perms;`
Chris PeBenito	0fbfa5	`allow bootloader_t etc_t:lnk_file read;`
Chris PeBenito	0fbfa5	`allow bootloader_t initctl_t:fifo_file getattr;`
Chris PeBenito	0fbfa5	`uses_shlib(bootloader_t)`
Chris PeBenito	0fbfa5
Chris PeBenito	0fbfa5	ifdef(`distro_debian', `
Chris PeBenito	0fbfa5	`allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };`
Chris PeBenito	0fbfa5	`allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink };`
Chris PeBenito	0fbfa5	`allow bootloader_t boot_t:file relabelfrom;`
Chris PeBenito	0fbfa5	`allow bootloader_t { usr_t lib_t fsadm_exec_t }:file relabelto;`
Chris PeBenito	0fbfa5	`allow bootloader_t { usr_t lib_t fsadm_exec_t }:file create_file_perms;`
Chris PeBenito	0fbfa5	`allow bootloader_t usr_t:lnk_file read;`
Chris PeBenito	0fbfa5	`allow bootloader_t tmpfs_t:dir r_dir_perms;`
Chris PeBenito	0fbfa5	`allow bootloader_t initrc_var_run_t:dir r_dir_perms;`
Chris PeBenito	0fbfa5	`allow bootloader_t var_lib_t:dir search;`
Chris PeBenito	0fbfa5	`allow bootloader_t dpkg_var_lib_t:dir r_dir_perms;`
Chris PeBenito	0fbfa5	`allow bootloader_t dpkg_var_lib_t:file { getattr read };`
Chris PeBenito	0fbfa5	`# for /usr/share/initrd-tools/scripts`
Chris PeBenito	0fbfa5	`can_exec(bootloader_t, usr_t)`
Chris PeBenito	0fbfa5	`')`
Chris PeBenito	0fbfa5
Chris PeBenito	0fbfa5	`allow bootloader_t { fixed_disk_device_t removable_device_t }:blk_file rw_file_perms;`
Chris PeBenito	0fbfa5	`dontaudit bootloader_t device_t:{ chr_file blk_file } rw_file_perms;`
Chris PeBenito	0fbfa5	`allow bootloader_t device_t:lnk_file { getattr read };`
Chris PeBenito	0fbfa5
Chris PeBenito	0fbfa5	`# LVM2 / Device Mapper's /dev/mapper/control`
Chris PeBenito	0fbfa5	`# maybe we should change the labeling for this`
Chris PeBenito	0fbfa5	ifdef(`lvm.te', `
Chris PeBenito	0fbfa5	`allow bootloader_t lvm_control_t:chr_file rw_file_perms;`
Chris PeBenito	0fbfa5	`domain_auto_trans(bootloader_t, lvm_exec_t, lvm_t)`
Chris PeBenito	0fbfa5	`allow lvm_t bootloader_tmp_t:file rw_file_perms;`
Chris PeBenito	0fbfa5	`r_dir_file(bootloader_t, lvm_etc_t)`
Chris PeBenito	0fbfa5	`')`
Chris PeBenito	0fbfa5
Chris PeBenito	0fbfa5	`# uncomment the following line if you use "lilo -p"`
Chris PeBenito	0fbfa5	`#file_type_auto_trans(bootloader_t, etc_t, bootloader_etc_t, file);`
Chris PeBenito	0fbfa5
Chris PeBenito	0fbfa5	`can_exec_any(bootloader_t)`
Chris PeBenito	0fbfa5	`allow bootloader_t shell_exec_t:lnk_file read;`
Chris PeBenito	0fbfa5	`allow bootloader_t { bin_t sbin_t }:dir search;`
Chris PeBenito	0fbfa5	`allow bootloader_t { bin_t sbin_t }:lnk_file read;`
Chris PeBenito	0fbfa5
Chris PeBenito	0fbfa5	`allow bootloader_t { modules_dep_t modules_object_t modules_conf_t }:file r_file_perms;`
Chris PeBenito	0fbfa5	`allow bootloader_t modules_object_t:dir r_dir_perms;`
Chris PeBenito	0fbfa5	ifdef(`distro_redhat', `
Chris PeBenito	0fbfa5	`allow bootloader_t modules_object_t:lnk_file { getattr read };`
Chris PeBenito	0fbfa5	`')`
Chris PeBenito	0fbfa5
Chris PeBenito	0fbfa5	`# for ldd`
Chris PeBenito	0fbfa5	ifdef(`fsadm.te', `
Chris PeBenito	0fbfa5	`allow bootloader_t fsadm_exec_t:file { rx_file_perms execute_no_trans };`
Chris PeBenito	0fbfa5	`')`
Chris PeBenito	0fbfa5	ifdef(`modutil.te', `
Chris PeBenito	0fbfa5	`allow bootloader_t insmod_exec_t:file { rx_file_perms execute_no_trans };`
Chris PeBenito	0fbfa5	`')`
Chris PeBenito	0fbfa5
Chris PeBenito	0fbfa5	`dontaudit bootloader_t { staff_home_dir_t sysadm_home_dir_t }:dir search;`
Chris PeBenito	0fbfa5
Chris PeBenito	0fbfa5	`allow bootloader_t boot_t:dir { create rw_dir_perms };`
Chris PeBenito	0fbfa5	`allow bootloader_t boot_t:file create_file_perms;`
Chris PeBenito	0fbfa5	`allow bootloader_t boot_t:lnk_file create_lnk_perms;`
Chris PeBenito	0fbfa5
Chris PeBenito	0fbfa5	`allow bootloader_t load_policy_exec_t:file { getattr read };`
Chris PeBenito	0fbfa5
Chris PeBenito	0fbfa5	`allow bootloader_t random_device_t:chr_file { getattr read };`
Chris PeBenito	0fbfa5
Chris PeBenito	0fbfa5	ifdef(`distro_redhat', `
Chris PeBenito	0fbfa5	`# for mke2fs`
Chris PeBenito	0fbfa5	`domain_auto_trans(bootloader_t, mount_exec_t, mount_t);`
Chris PeBenito	0fbfa5	`allow mount_t bootloader_tmp_t:dir mounton;`
Chris PeBenito	0fbfa5
Chris PeBenito	0fbfa5	`# new file system defaults to file_t, granting file_t access is still bad.`
Chris PeBenito	0fbfa5	`allow bootloader_t file_t:dir create_dir_perms;`
Chris PeBenito	0fbfa5	`allow bootloader_t file_t:{ file blk_file chr_file } create_file_perms;`
Chris PeBenito	0fbfa5	`allow bootloader_t file_t:lnk_file create_lnk_perms;`
Chris PeBenito	0fbfa5	`allow bootloader_t self:unix_stream_socket create_socket_perms;`
Chris PeBenito	0fbfa5	`allow bootloader_t boot_runtime_t:file { read getattr unlink };`
Chris PeBenito	0fbfa5
Chris PeBenito	0fbfa5	`# for memlock`
Chris PeBenito	0fbfa5	`allow bootloader_t zero_device_t:chr_file { getattr read };`
Chris PeBenito	0fbfa5	`allow bootloader_t self:capability ipc_lock;`
Chris PeBenito	0fbfa5	`')`
Chris PeBenito	0fbfa5
Chris PeBenito	0fbfa5	`allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin mknod chown };`
Chris PeBenito	0fbfa5	`# allow bootloader to get attributes of any device node`
Chris PeBenito	0fbfa5	`allow bootloader_t { device_type ttyfile }:chr_file getattr;`
Chris PeBenito	0fbfa5	`allow bootloader_t device_type:blk_file getattr;`
Chris PeBenito	0fbfa5	`dontaudit bootloader_t devpts_t:dir create_dir_perms;`
Chris PeBenito	0fbfa5
Chris PeBenito	0fbfa5	`allow bootloader_t self:process { fork signal_perms };`
Chris PeBenito	0fbfa5	`allow bootloader_t self:lnk_file read;`
Chris PeBenito	0fbfa5	`allow bootloader_t self:dir search;`
Chris PeBenito	0fbfa5	`allow bootloader_t self:file { getattr read };`
Chris PeBenito	0fbfa5	`allow bootloader_t self:fifo_file rw_file_perms;`
Chris PeBenito	0fbfa5
Chris PeBenito	0fbfa5	`allow bootloader_t fs_t:filesystem getattr;`
Chris PeBenito	0fbfa5
Chris PeBenito	0fbfa5	`allow bootloader_t proc_t:dir { getattr search };`
Chris PeBenito	0fbfa5	`allow bootloader_t proc_t:file r_file_perms;`
Chris PeBenito	0fbfa5	`allow bootloader_t proc_t:lnk_file { getattr read };`
Chris PeBenito	0fbfa5	`allow bootloader_t proc_mdstat_t:file r_file_perms;`
Chris PeBenito	0fbfa5	`allow bootloader_t self:dir { getattr search read };`
Chris PeBenito	0fbfa5	`read_sysctl(bootloader_t)`
Chris PeBenito	0fbfa5	`allow bootloader_t etc_runtime_t:file r_file_perms;`
Chris PeBenito	0fbfa5
Chris PeBenito	0fbfa5	`allow bootloader_t devtty_t:chr_file rw_file_perms;`
Chris PeBenito	0fbfa5	`allow bootloader_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;`
Chris PeBenito	0fbfa5	`allow bootloader_t initrc_t:fifo_file { read write };`
Chris PeBenito	0fbfa5
Chris PeBenito	0fbfa5	`# for reading BIOS data`
Chris PeBenito	0fbfa5	`allow bootloader_t memory_device_t:chr_file r_file_perms;`
Chris PeBenito	0fbfa5
Chris PeBenito	0fbfa5	`allow bootloader_t policy_config_t:dir { search read };`
Chris PeBenito	0fbfa5	`allow bootloader_t policy_config_t:file { getattr read };`
Chris PeBenito	0fbfa5
Chris PeBenito	0fbfa5	`allow bootloader_t lib_t:file { getattr read };`
Chris PeBenito	0fbfa5	`allow bootloader_t sysfs_t:dir getattr;`
Chris PeBenito	0fbfa5	`allow bootloader_t urandom_device_t:chr_file read;`
Chris PeBenito	0fbfa5	`allow bootloader_t { usr_t var_t }:file { getattr read };`
Chris PeBenito	0fbfa5	`r_dir_file(bootloader_t, src_t)`
Chris PeBenito	0fbfa5	`dontaudit bootloader_t selinux_config_t:dir search;`
Chris PeBenito	0fbfa5	`dontaudit bootloader_t sysctl_t:dir search;`

rpms / selinux-policy

Source Code

Blame strict/domains/program/bootloader.te