From cd340e1f6f64271c2ba9a90b738756e9648ada54 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Tue, 13 Apr 2021 16:48:54 -0400
Subject: [PATCH] bootloader, devices: dontaudit grub writing on legacy efi
 variables

Newer versions of grub modify EFI variables on efivarfs. This commit
adds a dontaudit on the legacy /sys/fs/efi/vars files.

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/admin/bootloader.te |  2 ++
 policy/modules/kernel/devices.if   | 18 ++++++++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index 5eef8960b..be67f97e9 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -83,6 +83,8 @@ dev_dontaudit_rw_generic_dev_nodes(bootloader_t)
 dev_read_rand(bootloader_t)
 dev_read_urand(bootloader_t)
 dev_read_sysfs(bootloader_t)
+# newer versions of grub use efivarfs to modify EFI variables; dontaudit legacy /sys/fs/efi/vars access
+dev_dontaudit_write_sysfs_files(bootloader_t)
 # needed on some hardware
 dev_rw_nvram(bootloader_t)
 
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 7dd0a5771..ae20e3365 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -4473,6 +4473,24 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
 	dontaudit $1 sysfs_t:dir write;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to write to a sysfs file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_write_sysfs_files',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	dontaudit $1 sysfs_t:file write;
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete sysfs