## Policy for the kernel modules, kernel image, and bootloader. ######################################## ## ## Execute bootloader in the bootloader domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`bootloader_domtrans',` gen_require(` type bootloader_t, bootloader_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, bootloader_exec_t, bootloader_t) ') ######################################## ## ## Execute bootloader interactively and do ## a domain transition to the bootloader domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # interface(`bootloader_run',` gen_require(` attribute_role bootloader_roles; ') bootloader_domtrans($1) roleattribute $2 bootloader_roles; ') ######################################## ## ## Execute bootloader in the caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`bootloader_exec',` gen_require(` type bootloader_exec_t; ') corecmd_search_bin($1) can_exec($1, bootloader_exec_t) ') ######################################## ## ## Read the bootloader configuration file. ## ## ## ## Domain allowed access. ## ## # interface(`bootloader_read_config',` gen_require(` type bootloader_etc_t; ') allow $1 bootloader_etc_t:file read_file_perms; ') ######################################## ## ## Read and write the bootloader ## configuration file. ## ## ## ## Domain allowed access. ## ## ## # interface(`bootloader_rw_config',` gen_require(` type bootloader_etc_t; ') allow $1 bootloader_etc_t:file rw_file_perms; ') ######################################## ## ## Read and write the bootloader ## temporary data in /tmp. ## ## ## ## Domain allowed access. ## ## # interface(`bootloader_rw_tmp_files',` gen_require(` type bootloader_tmp_t; ') files_search_tmp($1) allow $1 bootloader_tmp_t:file rw_file_perms; ') ######################################## ## ## Read and write the bootloader ## temporary data in /tmp. ## ## ## ## Domain allowed access. ## ## # interface(`bootloader_create_runtime_file',` gen_require(` type boot_runtime_t; ') allow $1 boot_runtime_t:file { create_file_perms rw_file_perms }; files_boot_filetrans($1, boot_runtime_t, file) ')