From 1c552ec38fa31cc10915de461aa75b2deef5d575 Mon Sep 17 00:00:00 2001 From: Kenton Groombridge Date: Sun, 14 Mar 2021 16:50:23 -0400 Subject: [PATCH] bootloader, filesystem: various fixes for grub Signed-off-by: Kenton Groombridge --- policy/modules/admin/bootloader.te | 3 +++ policy/modules/kernel/filesystem.if | 18 ++++++++++++++++++ 2 files changed, 21 insertions(+) diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index 6e6d758d0..5eef8960b 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -67,6 +67,7 @@ kernel_read_software_raid_state(bootloader_t) kernel_read_kernel_sysctls(bootloader_t) kernel_search_debugfs(bootloader_t) kernel_setsched(bootloader_t) +kernel_dontaudit_getattr_proc(bootloader_t) # for grub-probe kernel_request_load_module(bootloader_t) @@ -90,6 +91,7 @@ fs_getattr_dos_fs(bootloader_t) fs_getattr_tmpfs(bootloader_t) fs_read_tmpfs_symlinks(bootloader_t) #Needed for EFI +fs_getattr_efivarfs(bootloader_t) fs_manage_dos_files(bootloader_t) fs_mmap_read_dos_files(bootloader_t) @@ -153,6 +155,7 @@ miscfiles_read_localization(bootloader_t) mount_rw_runtime_files(bootloader_t) selinux_getattr_fs(bootloader_t) +selinux_use_status_page(bootloader_t) seutil_read_bin_policy(bootloader_t) seutil_read_file_contexts(bootloader_t) seutil_read_loadpolicy(bootloader_t) diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index e0a7e4bc7..0047ea89e 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -2155,6 +2155,24 @@ interface(`fs_manage_dos_files',` manage_files_pattern($1, dosfs_t, dosfs_t) ') +######################################## +## +## Get the attributes of efivarfs filesystems. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_getattr_efivarfs',` + gen_require(` + type efivarfs_t; + ') + + allow $1 efivarfs_t:filesystem getattr; +') + ######################################## ## ## List dirs in efivarfs filesystem.