bootloader, filesystem: various fixes for grub

Signed-off-by: Kenton Groombridge <me@concord.sh>
2025-03-21 10:37:48 +00:00 · 2021-03-14 16:50:23 -04:00 · 2021-03-14 16:50:23 -04:00 · 1c552ec38f
commit 1c552ec38f
parent 7f1a7b1cac
2 changed files with 21 additions and 0 deletions
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@ -67,6 +67,7 @@ kernel_read_software_raid_state(bootloader_t)
 kernel_read_kernel_sysctls(bootloader_t)
 kernel_search_debugfs(bootloader_t)
 kernel_setsched(bootloader_t)
+kernel_dontaudit_getattr_proc(bootloader_t)
 # for grub-probe
 kernel_request_load_module(bootloader_t)

@ -90,6 +91,7 @@ fs_getattr_dos_fs(bootloader_t)
 fs_getattr_tmpfs(bootloader_t)
 fs_read_tmpfs_symlinks(bootloader_t)
 #Needed for EFI
+fs_getattr_efivarfs(bootloader_t)
 fs_manage_dos_files(bootloader_t)
 fs_mmap_read_dos_files(bootloader_t)

@ -153,6 +155,7 @@ miscfiles_read_localization(bootloader_t)
 mount_rw_runtime_files(bootloader_t)

 selinux_getattr_fs(bootloader_t)
+selinux_use_status_page(bootloader_t)
 seutil_read_bin_policy(bootloader_t)
 seutil_read_file_contexts(bootloader_t)
 seutil_read_loadpolicy(bootloader_t)
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@ -2155,6 +2155,24 @@ interface(`fs_manage_dos_files',`
 	manage_files_pattern($1, dosfs_t, dosfs_t)
 ')

+########################################
+## <summary>
+##	Get the attributes of efivarfs filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_efivarfs',`
+	gen_require(`
+		type efivarfs_t;
+	')
+
+	allow $1 efivarfs_t:filesystem getattr;
+')
+
 ########################################
 ## <summary>
 ##	List dirs in efivarfs filesystem.