diff options
author | Kenton Groombridge <concord@gentoo.org> | 2024-05-06 16:31:46 -0400 |
---|---|---|
committer | Kenton Groombridge <concord@gentoo.org> | 2024-05-14 13:41:44 -0400 |
commit | da28221423dba9c102a06afb6c7eac7cd2d0117a (patch) | |
tree | 76362976707e316c11f76058656a256ac563aa3d | |
parent | asterisk: allow binding to all unreserved UDP ports (diff) | |
download | hardened-refpolicy-da28221423dba9c102a06afb6c7eac7cd2d0117a.tar.gz hardened-refpolicy-da28221423dba9c102a06afb6c7eac7cd2d0117a.tar.bz2 hardened-refpolicy-da28221423dba9c102a06afb6c7eac7cd2d0117a.zip |
bootloader: allow systemd-boot to manage EFI binaries
systemd-boot's bootctl utility is used to install and update its EFI
binaries in the EFI partition. If it is mounted with boot_t, bootctl
needs to be able to manage boot_t files.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
-rw-r--r-- | policy/modules/admin/bootloader.te | 4 | ||||
-rw-r--r-- | policy/modules/kernel/files.if | 19 |
2 files changed, 23 insertions, 0 deletions
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index 294ce7e0..81748a5f 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -225,6 +225,10 @@ ifdef(`init_systemd',` fs_getattr_cgroup(bootloader_t) init_read_state(bootloader_t) init_rw_inherited_stream_socket(bootloader_t) + + # for systemd-boot-update to manage EFI binaries + domain_obj_id_change_exemption(bootloader_t) + files_mmap_read_boot_files(bootloader_t) ') optional_policy(` diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index e0337d04..b9c45132 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -2592,6 +2592,25 @@ interface(`files_read_boot_files',` ######################################## ## <summary> +## Read and memory map files in the /boot directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`files_mmap_read_boot_files',` + gen_require(` + type boot_t; + ') + + mmap_read_files_pattern($1, boot_t, boot_t) +') + +######################################## +## <summary> ## Create, read, write, and delete files ## in the /boot directory. ## </summary> |