Merge pull request #149 from fishilico/systemd-logind-bootloader
This commit is contained in:
commit
d3f1e699c9
|
@ -104,6 +104,39 @@ interface(`storage_raw_read_fixed_disk',`
|
|||
typeattribute $1 fixed_disk_raw_read;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the caller to directly read from a fixed disk
|
||||
## if a tunable is set.
|
||||
## This is extremely dangerous as it can bypass the
|
||||
## SELinux protections for filesystem objects, and
|
||||
## should only be used by trusted domains.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="tunable">
|
||||
## <summary>
|
||||
## Tunable to depend on
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`storage_raw_read_fixed_disk_cond',`
|
||||
gen_require(`
|
||||
attribute fixed_disk_raw_read;
|
||||
type fixed_disk_device_t;
|
||||
')
|
||||
|
||||
typeattribute $1 fixed_disk_raw_read;
|
||||
tunable_policy($2, `
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 fixed_disk_device_t:blk_file read_blk_file_perms;
|
||||
allow $1 fixed_disk_device_t:chr_file read_chr_file_perms;
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts made by the caller to read
|
||||
|
|
|
@ -20,6 +20,15 @@ gen_tunable(systemd_tmpfiles_manage_all, false)
|
|||
## </desc>
|
||||
gen_tunable(systemd_nspawn_labeled_namespace, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow systemd-logind to interact with the bootloader (read which one is
|
||||
## installed on fixed disks, enumerate entries for dbus property
|
||||
## BootLoaderEntries, etc.)
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(systemd_logind_get_bootloader, false)
|
||||
|
||||
attribute systemd_log_parse_env_type;
|
||||
attribute systemd_tmpfiles_conf_type;
|
||||
attribute systemd_user_session_type;
|
||||
|
@ -558,6 +567,15 @@ ifdef(`distro_redhat',`
|
|||
userdom_user_runtime_root_filetrans_user_runtime(systemd_logind_t, dir)
|
||||
')
|
||||
|
||||
tunable_policy(`systemd_logind_get_bootloader',`
|
||||
fs_getattr_dos_fs(systemd_logind_t)
|
||||
fs_list_dos(systemd_logind_t)
|
||||
fs_read_dos_files(systemd_logind_t)
|
||||
')
|
||||
# systemd-logind uses util-linux's blkid in order to find the ESP (EFI System Partition).
|
||||
# This reads the first sectors of fixed disk devices.
|
||||
storage_raw_read_fixed_disk_cond(systemd_logind_t, systemd_logind_get_bootloader)
|
||||
|
||||
optional_policy(`
|
||||
dbus_connect_system_bus(systemd_logind_t)
|
||||
dbus_system_bus_client(systemd_logind_t)
|
||||
|
|
Loading…
Reference in New Issue