Merge pull request #149 from fishilico/systemd-logind-bootloader
This commit is contained in:
Chris PeBenito
commit
d3f1e699c9
|
|
@ -104,6 +104,39 @@ interface(`storage_raw_read_fixed_disk',`
|
||||||
typeattribute $1 fixed_disk_raw_read;
|
typeattribute $1 fixed_disk_raw_read;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Allow the caller to directly read from a fixed disk
|
||||||
|
## if a tunable is set.
|
||||||
|
## This is extremely dangerous as it can bypass the
|
||||||
|
## SELinux protections for filesystem objects, and
|
||||||
|
## should only be used by trusted domains.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <param name="tunable">
|
||||||
|
## <summary>
|
||||||
|
## Tunable to depend on
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`storage_raw_read_fixed_disk_cond',`
|
||||||
|
gen_require(`
|
||||||
|
attribute fixed_disk_raw_read;
|
||||||
|
type fixed_disk_device_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
typeattribute $1 fixed_disk_raw_read;
|
||||||
|
tunable_policy($2, `
|
||||||
|
dev_list_all_dev_nodes($1)
|
||||||
|
allow $1 fixed_disk_device_t:blk_file read_blk_file_perms;
|
||||||
|
allow $1 fixed_disk_device_t:chr_file read_chr_file_perms;
|
||||||
|
')
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Do not audit attempts made by the caller to read
|
## Do not audit attempts made by the caller to read
|
||||||
|
|
|
||||||
|
|
@ -20,6 +20,15 @@ gen_tunable(systemd_tmpfiles_manage_all, false)
|
||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(systemd_nspawn_labeled_namespace, false)
|
gen_tunable(systemd_nspawn_labeled_namespace, false)
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow systemd-logind to interact with the bootloader (read which one is
|
||||||
|
## installed on fixed disks, enumerate entries for dbus property
|
||||||
|
## BootLoaderEntries, etc.)
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(systemd_logind_get_bootloader, false)
|
||||||
|
|
||||||
attribute systemd_log_parse_env_type;
|
attribute systemd_log_parse_env_type;
|
||||||
attribute systemd_tmpfiles_conf_type;
|
attribute systemd_tmpfiles_conf_type;
|
||||||
attribute systemd_user_session_type;
|
attribute systemd_user_session_type;
|
||||||
|
|
@ -558,6 +567,15 @@ ifdef(`distro_redhat',`
|
||||||
userdom_user_runtime_root_filetrans_user_runtime(systemd_logind_t, dir)
|
userdom_user_runtime_root_filetrans_user_runtime(systemd_logind_t, dir)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
tunable_policy(`systemd_logind_get_bootloader',`
|
||||||
|
fs_getattr_dos_fs(systemd_logind_t)
|
||||||
|
fs_list_dos(systemd_logind_t)
|
||||||
|
fs_read_dos_files(systemd_logind_t)
|
||||||
|
')
|
||||||
|
# systemd-logind uses util-linux's blkid in order to find the ESP (EFI System Partition).
|
||||||
|
# This reads the first sectors of fixed disk devices.
|
||||||
|
storage_raw_read_fixed_disk_cond(systemd_logind_t, systemd_logind_get_bootloader)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
dbus_connect_system_bus(systemd_logind_t)
|
dbus_connect_system_bus(systemd_logind_t)
|
||||||
dbus_system_bus_client(systemd_logind_t)
|
dbus_system_bus_client(systemd_logind_t)
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue