Hoshpak
/
debian-selinux-policies


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225
							policy_module(bootloader, 1.15.1)

########################################
#
# Declarations
#

attribute_role bootloader_roles;
roleattribute system_r bootloader_roles;

#
# boot_runtime_t is the type for /boot/kernel.h,
# which is automatically generated at boot time.
# only for Red Hat
#
type boot_runtime_t;
files_type(boot_runtime_t)

type bootloader_t;
type bootloader_exec_t;
application_domain(bootloader_t, bootloader_exec_t)
role bootloader_roles types bootloader_t;

#
# bootloader_etc_t is the configuration file,
# grub.conf, lilo.conf, etc.
#
type bootloader_etc_t alias etc_bootloader_t;
files_type(bootloader_etc_t)

#
# The temp file is used for initrd creation;
# it consists of files and device nodes
#
type bootloader_tmp_t;
files_tmp_file(bootloader_tmp_t)
dev_node(bootloader_tmp_t)

########################################
#
# bootloader local policy
#

allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin mknod chown };
allow bootloader_t self:process { signal_perms execmem };
allow bootloader_t self:fifo_file rw_fifo_file_perms;

allow bootloader_t bootloader_etc_t:file read_file_perms;
# uncomment the following lines if you use "lilo -p"
#allow bootloader_t bootloader_etc_t:file manage_file_perms;
#files_etc_filetrans(bootloader_t,bootloader_etc_t,file)

manage_dirs_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t)
manage_files_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t)
manage_lnk_files_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t)
manage_blk_files_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t)
manage_chr_files_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t)
files_tmp_filetrans(bootloader_t, bootloader_tmp_t, { dir file lnk_file chr_file blk_file })
# for tune2fs (cjp: ?)
files_root_filetrans(bootloader_t, bootloader_tmp_t, file)

kernel_getattr_core_if(bootloader_t)
kernel_read_network_state(bootloader_t)
kernel_read_system_state(bootloader_t)
kernel_read_software_raid_state(bootloader_t)
kernel_read_kernel_sysctls(bootloader_t)

# for grub-probe
kernel_request_load_module(bootloader_t)

storage_raw_read_fixed_disk(bootloader_t)
storage_raw_write_fixed_disk(bootloader_t)
storage_raw_read_removable_device(bootloader_t)
storage_raw_write_removable_device(bootloader_t)

dev_getattr_all_chr_files(bootloader_t)
dev_getattr_all_blk_files(bootloader_t)
dev_dontaudit_rw_generic_dev_nodes(bootloader_t)
dev_read_rand(bootloader_t)
dev_read_urand(bootloader_t)
dev_read_sysfs(bootloader_t)
# needed on some hardware
dev_rw_nvram(bootloader_t)

fs_getattr_xattr_fs(bootloader_t)
fs_getattr_tmpfs(bootloader_t)
fs_read_tmpfs_symlinks(bootloader_t)
#Needed for ia64
fs_manage_dos_files(bootloader_t)

mls_file_read_all_levels(bootloader_t)
mls_file_write_all_levels(bootloader_t)

term_getattr_all_ttys(bootloader_t)
term_dontaudit_manage_pty_dirs(bootloader_t)

corecmd_exec_all_executables(bootloader_t)

domain_use_interactive_fds(bootloader_t)

files_create_boot_dirs(bootloader_t)
files_manage_boot_files(bootloader_t)
files_manage_boot_symlinks(bootloader_t)
files_read_etc_files(bootloader_t)
files_exec_etc_files(bootloader_t)
files_read_usr_src_files(bootloader_t)
files_read_usr_files(bootloader_t)
files_read_var_files(bootloader_t)
files_read_kernel_modules(bootloader_t)
# for nscd
files_dontaudit_search_pids(bootloader_t)
# for blkid.tab
files_manage_etc_runtime_files(bootloader_t)
files_etc_filetrans_etc_runtime(bootloader_t, file)
files_dontaudit_search_home(bootloader_t)

init_getattr_initctl(bootloader_t)
init_use_script_ptys(bootloader_t)
init_use_script_fds(bootloader_t)
init_rw_script_pipes(bootloader_t)

libs_read_lib_files(bootloader_t)
libs_exec_lib_files(bootloader_t)

logging_send_syslog_msg(bootloader_t)
logging_rw_generic_logs(bootloader_t)

miscfiles_read_localization(bootloader_t)

modutils_domtrans_insmod(bootloader_t)

seutil_read_bin_policy(bootloader_t)
seutil_read_loadpolicy(bootloader_t)
seutil_dontaudit_search_config(bootloader_t)

userdom_use_user_terminals(bootloader_t)
userdom_dontaudit_search_user_home_dirs(bootloader_t)

seutil_read_file_contexts(bootloader_t)

gen_require(`
	type xconsole_device_t;
')
allow bootloader_t xconsole_device_t:fifo_file getattr;

ifdef(`distro_debian',`
	allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
	fs_list_tmpfs(bootloader_t)

	files_relabel_kernel_modules(bootloader_t)
	files_relabelfrom_boot_files(bootloader_t)
	files_delete_kernel_modules(bootloader_t)
	files_relabelto_usr_files(bootloader_t)
	files_search_var_lib(bootloader_t)
	# for /usr/share/initrd-tools/scripts
	files_exec_usr_files(bootloader_t)

	fstools_manage_entry_files(bootloader_t)
	fstools_relabelto_entry_files(bootloader_t)

	libs_relabelto_lib_files(bootloader_t)

	# for apt-cache
	dpkg_read_db(bootloader_t)
	apt_read_db(bootloader_t)
	apt_read_cache(bootloader_t)
')

ifdef(`distro_redhat',`
	# for memlock
	allow bootloader_t self:capability ipc_lock;

	allow bootloader_t boot_runtime_t:file { read_file_perms delete_file_perms };

	# new file system defaults to unlabeled, granting unlabeled access is still bad.
	kernel_manage_unlabeled_dirs(bootloader_t)
	kernel_manage_unlabeled_files(bootloader_t)
	kernel_manage_unlabeled_symlinks(bootloader_t)
	kernel_manage_unlabeled_blk_files(bootloader_t)
	kernel_manage_unlabeled_chr_files(bootloader_t)

	# for mke2fs
	mount_run(bootloader_t, bootloader_roles)

	optional_policy(`
		unconfined_domain(bootloader_t)
	')
')

optional_policy(`
	fstools_exec(bootloader_t)
')

optional_policy(`
	hal_dontaudit_append_lib_files(bootloader_t)
	hal_write_log(bootloader_t)
')

optional_policy(`
	kudzu_domtrans(bootloader_t)
')

optional_policy(`
	dev_rw_lvm_control(bootloader_t)

	lvm_domtrans(bootloader_t)
	lvm_read_config(bootloader_t)
')

optional_policy(`
	modutils_exec_insmod(bootloader_t)
	modutils_read_module_deps(bootloader_t)
	modutils_read_module_config(bootloader_t)
	modutils_exec_insmod(bootloader_t)
	modutils_exec_depmod(bootloader_t)
	modutils_exec_update_mods(bootloader_t)
')

optional_policy(`
	nscd_use(bootloader_t)
')

optional_policy(`
	rpm_rw_pipes(bootloader_t)
')