policy_module(bootloader,1.1.0)
########################################
#
# Declarations
#
attribute rw_kern_modules;
#
# boot_t is the type for files in /boot
#
type boot_t;
files_type(boot_t)
files_mountpoint(boot_t)
#
# boot_runtime_t is the type for /boot/kernel.h,
# which is automatically generated at boot time.
# only for Red Hat
#
type boot_runtime_t;
files_type(boot_runtime_t)
type bootloader_t;
domain_type(bootloader_t)
role system_r types bootloader_t;
type bootloader_exec_t;
domain_entry_file(bootloader_t,bootloader_exec_t)
#
# bootloader_etc_t is the configuration file,
# grub.conf, lilo.conf, etc.
#
type bootloader_etc_t alias etc_bootloader_t;
files_type(bootloader_etc_t)
#
# The temp file is used for initrd creation;
# it consists of files and device nodes
#
type bootloader_tmp_t;
files_tmp_file(bootloader_tmp_t)
dev_node(bootloader_tmp_t)
# kernel modules
type modules_object_t;
files_type(modules_object_t)
#neverallow ~rw_kern_modules modules_object_t:file { create append write };
#
# system_map_t is for the system.map files in /boot
#
type system_map_t;
files_type(system_map_t)
#
# /var/log/ksyms
# cjp: this probably can be removed, I do not
# think it is used on 2.6 kernels
type var_log_ksyms_t;
logging_log_file(var_log_ksyms_t)
########################################
#
# bootloader local policy
#
allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin mknod chown };
allow bootloader_t self:process { sigkill sigstop signull signal };
allow bootloader_t self:fifo_file { getattr read write };
allow bootloader_t boot_t:dir { create rw_dir_perms };
allow bootloader_t boot_t:file create_file_perms;
allow bootloader_t boot_t:lnk_file create_lnk_perms;
allow bootloader_t bootloader_etc_t:file r_file_perms;
# uncomment the following lines if you use "lilo -p"
#allow bootloader_t bootloader_etc_t:file { create ioctl read getattr lock write setattr append link unlink rename };
#files_create_etc_config(bootloader_t,bootloader_etc_t)
allow bootloader_t bootloader_tmp_t:dir create_dir_perms;
allow bootloader_t bootloader_tmp_t:file create_file_perms;
allow bootloader_t bootloader_tmp_t:chr_file create_file_perms;
allow bootloader_t bootloader_tmp_t:blk_file create_file_perms;
allow bootloader_t bootloader_tmp_t:lnk_file create_lnk_perms;
files_create_tmp_files(bootloader_t,bootloader_tmp_t,{ dir file lnk_file chr_file blk_file })
# for tune2fs (cjp: ?)
files_create_root(bootloader_t,bootloader_tmp_t)
allow bootloader_t modules_object_t:dir r_dir_perms;
allow bootloader_t modules_object_t:file r_file_perms;
allow bootloader_t modules_object_t:lnk_file r_file_perms;
kernel_getattr_core(bootloader_t)
kernel_read_system_state(bootloader_t)
kernel_read_software_raid_state(bootloader_t)
kernel_read_kernel_sysctl(bootloader_t)
storage_raw_read_fixed_disk(bootloader_t)
storage_raw_write_fixed_disk(bootloader_t)
storage_raw_read_removable_device(bootloader_t)
storage_raw_write_removable_device(bootloader_t)
dev_getattr_all_chr_files(bootloader_t)
dev_getattr_all_blk_files(bootloader_t)
dev_dontaudit_rw_generic_dev_nodes(bootloader_t)
dev_read_rand(bootloader_t)
dev_read_urand(bootloader_t)
dev_getattr_sysfs_dir(bootloader_t)
# for reading BIOS data
dev_read_raw_memory(bootloader_t)
fs_getattr_xattr_fs(bootloader_t)
term_getattr_all_user_ttys(bootloader_t)
term_dontaudit_manage_pty_dir(bootloader_t)
corecmd_exec_bin(bootloader_t)
corecmd_exec_sbin(bootloader_t)
corecmd_exec_shell(bootloader_t)
domain_exec_all_entry_files(bootloader_t)
domain_use_wide_inherit_fd(bootloader_t)
files_read_etc_files(bootloader_t)
files_exec_etc_files(bootloader_t)
files_read_etc_runtime_files(bootloader_t)
files_read_usr_src_files(bootloader_t)
files_read_usr_files(bootloader_t)
files_read_var_files(bootloader_t)
# for nscd
files_dontaudit_search_pids(bootloader_t)
init_getattr_initctl(bootloader_t)
init_use_script_pty(bootloader_t)
init_use_script_fd(bootloader_t)
init_rw_script_pipe(bootloader_t)
libs_use_ld_so(bootloader_t)
libs_use_shared_libs(bootloader_t)
libs_read_lib(bootloader_t)
libs_exec_lib_files(bootloader_t)
logging_send_syslog_msg(bootloader_t)
logging_rw_generic_logs(bootloader_t)
miscfiles_read_localization(bootloader_t)
seutil_read_binary_pol(bootloader_t)
seutil_read_loadpol(bootloader_t)
seutil_dontaudit_search_config(bootloader_t)
ifdef(`distro_debian',`
allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink };
allow bootloader_t boot_t:file relabelfrom;
fs_list_tmpfs(bootloader_t)
files_relabelto_usr_files(bootloader_t)
files_search_var_lib(bootloader_t)
# for /usr/share/initrd-tools/scripts
files_exec_usr_files(bootloader_t)
fstools_manage_entry_files(bootloader_t)
fstools_relabelto_entry_files(bootloader_t)
init_list_script_pids(bootloader_t)
libs_relabelto_lib_files(bootloader_t)
')
ifdef(`distro_redhat',`
# for memlock
allow bootloader_t self:capability ipc_lock;
# new file system defaults to file_t, granting file_t access is still bad.
allow bootloader_t boot_runtime_t:file { r_file_perms unlink };
# mkinitrd mount initrd on bootloader temp dir
files_mountpoint(bootloader_tmp_t)
# new file system defaults to file_t, granting file_t access is still bad.
files_manage_isid_type_dir(bootloader_t)
files_manage_isid_type_file(bootloader_t)
files_manage_isid_type_symlink(bootloader_t)
files_manage_isid_type_blk_node(bootloader_t)
files_manage_isid_type_chr_node(bootloader_t)
# for mke2fs
mount_domtrans(bootloader_t)
')
ifdef(`targeted_policy',`
term_use_unallocated_tty(bootloader_t)
term_use_generic_pty(bootloader_t)
')
optional_policy(`fstools',`
fstools_exec(bootloader_t)
')
optional_policy(`lvm',`
dev_rw_lvm_control(bootloader_t)
lvm_domtrans(bootloader_t)
lvm_read_config(bootloader_t)
')
optional_policy(`modutils',`
modutils_exec_insmod(bootloader_t)
modutils_read_mods_deps(bootloader_t)
modutils_read_module_conf(bootloader_t)
modutils_exec_insmod(bootloader_t)
modutils_exec_depmod(bootloader_t)
modutils_exec_update_mods(bootloader_t)
')
optional_policy(`nscd',`
nscd_use_socket(bootloader_t)
')
optional_policy(`rpm',`
rpm_rw_pipe(bootloader_t)
')
optional_policy(`userdomain',`
userdom_dontaudit_search_staff_home_dir(bootloader_t)
userdom_dontaudit_search_sysadm_home_dir(bootloader_t)
')
ifdef(`TODO',`
ifdef(`distro_debian', `
# cjp: there is no setfscreate or type_transition, and
# bootloader_t cannot rw a usr_t or lib_t directory, so
# how can this work? This is probably rw_file_perms,
# possibly with unlink. Files are probably "created"
# by the above relabeling permissions.
allow bootloader_t { usr_t lib_t }:file create_file_perms;
allow bootloader_t dpkg_var_lib_t:dir r_dir_perms;
allow bootloader_t dpkg_var_lib_t:file { getattr read };
')
') dnl end TODO