diff --git a/refpolicy/policy/modules/kernel/bootloader.if b/refpolicy/policy/modules/kernel/bootloader.if index d18eabc1c..e617929d8 100644 --- a/refpolicy/policy/modules/kernel/bootloader.if +++ b/refpolicy/policy/modules/kernel/bootloader.if @@ -1,4 +1,62 @@ # Copyright (C) 2005 Tresys Technology, LLC +## +## Policy for the kernel modules, kernel image, and bootloader. + +######################################## +## +## +## Execute bootloader in the bootloader domain. +## +## +## The type of the process performing this action. +## +## +## +# +define(`bootloader_transition',` +requires_block_template(`$0'_depend) +allow $1 bootloader_exec_t:file { getattr read execute }; +allow $1 bootloader_t:process transition; +type_transition $1 bootloader_exec_t:file bootloader_t; +dontaudit $1 bootloader_t:process { noatsecure siginh rlimitinh }; +') + +define(`bootloader_transition_depend',` +type bootloader_t; +class file { getattr read execute }; +class process { transition noatsecure siginh rlimitinh }; +') + +######################################## +## +## +## Execute bootloader in the bootloader domain, and +## allow the specified role the bootloader domain, +## and use the caller's terminal. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the bootloader domain. +## +## +## The type of the terminal allow the bootloader domain to use. +## +## +## +# +define(`bootloader_transition_add_role_use_terminal',` +requires_block_template(`$0'_depend) +bootloader_transition($1) +role $2 types bootloader_t; +allow bootloader_t $3:chr_file { getattr read write ioctl }; +') + +define(`bootloader_transition_add_role_use_terminal_depend',` +type bootloader_t; +class chr_file { getattr read write ioctl }; +') ######################################## # @@ -253,3 +311,5 @@ define(`bootloader_create_private_module_dir_entry_depend',` type modules_object_t; class dir { getattr search read write add_name remove_name }; ') + +##