bootloader, devices: dontaudit grub writing on legacy efi variables

Newer versions of grub modify EFI variables on efivarfs. This commit adds a dontaudit on the legacy /sys/fs/efi/vars files. Signed-off-by: Kenton Groombridge <me@concord.sh>
2021-04-13 16:48:54 -04:00 · 2021-04-13 16:48:54 -04:00 · cd340e1f6f
parent 8887862973
commit cd340e1f6f
2 changed files with 20 additions and 0 deletions
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@ -83,6 +83,8 @@ dev_dontaudit_rw_generic_dev_nodes(bootloader_t)
 dev_read_rand(bootloader_t)
 dev_read_urand(bootloader_t)
 dev_read_sysfs(bootloader_t)
+# newer versions of grub use efivarfs to modify EFI variables; dontaudit legacy /sys/fs/efi/vars access
+dev_dontaudit_write_sysfs_files(bootloader_t)
 # needed on some hardware
 dev_rw_nvram(bootloader_t)

--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@ -4473,6 +4473,24 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
 	dontaudit $1 sysfs_t:dir write;
 ')

+########################################
+## <summary>
+##	Do not audit attempts to write to a sysfs file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_write_sysfs_files',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	dontaudit $1 sysfs_t:file write;
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete sysfs