bootloader: add rEFInd and systemd-boot
Add EFI bootloaders rEFInd and systemd-boot. Boot tools which manage bootloader files in UEFI (DOS) partition need also to manage UEFI boot variables in efivarfs. Bootctl (systemd-boot tool) verifies the type of EFI file system and needs to mmap() the files. Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
This commit is contained in:
Topi Miettinen
parent
841cce42e8
commit
eae4ecde22
|
|
@ -2,20 +2,28 @@
|
||||||
/etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
|
/etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
|
||||||
/etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
|
/etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
|
||||||
|
|
||||||
|
/usr/bin/bootctl -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||||
/usr/bin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
/usr/bin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||||
/usr/bin/grub2?-bios-setup -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
/usr/bin/grub2?-bios-setup -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||||
/usr/bin/grub2?-install -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
/usr/bin/grub2?-install -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||||
/usr/bin/grub2?-mkconfig -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
/usr/bin/grub2?-mkconfig -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||||
/usr/bin/grub2?-probe -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
/usr/bin/grub2?-probe -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||||
/usr/bin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
/usr/bin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||||
|
/usr/bin/mkrlconf -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||||
|
/usr/bin/mvrefind -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||||
|
/usr/bin/refind-install -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||||
/usr/bin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
/usr/bin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||||
|
|
||||||
|
/usr/sbin/bootctl -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||||
/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||||
/usr/sbin/grub2?-bios-setup -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
/usr/sbin/grub2?-bios-setup -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||||
/usr/sbin/grub2?-install -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
/usr/sbin/grub2?-install -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||||
/usr/sbin/grub2?-mkconfig -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
/usr/sbin/grub2?-mkconfig -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||||
/usr/sbin/grub2?-probe -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
/usr/sbin/grub2?-probe -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||||
/usr/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
/usr/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||||
|
/usr/sbin/mkrlconf -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||||
|
/usr/sbin/mvrefind -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||||
|
/usr/sbin/refind-install -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||||
/usr/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
/usr/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||||
|
|
||||||
/var/lib/os-prober(/.*)? gen_context(system_u:object_r:bootloader_tmp_t,s0)
|
/var/lib/os-prober(/.*)? gen_context(system_u:object_r:bootloader_tmp_t,s0)
|
||||||
|
|
|
||||||
|
|
@ -86,10 +86,12 @@ dev_read_sysfs(bootloader_t)
|
||||||
dev_rw_nvram(bootloader_t)
|
dev_rw_nvram(bootloader_t)
|
||||||
|
|
||||||
fs_getattr_xattr_fs(bootloader_t)
|
fs_getattr_xattr_fs(bootloader_t)
|
||||||
|
fs_getattr_dos_fs(bootloader_t)
|
||||||
fs_getattr_tmpfs(bootloader_t)
|
fs_getattr_tmpfs(bootloader_t)
|
||||||
fs_read_tmpfs_symlinks(bootloader_t)
|
fs_read_tmpfs_symlinks(bootloader_t)
|
||||||
#Needed for EFI
|
#Needed for EFI
|
||||||
fs_manage_dos_files(bootloader_t)
|
fs_manage_dos_files(bootloader_t)
|
||||||
|
fs_mmap_read_dos_files(bootloader_t)
|
||||||
|
|
||||||
mls_file_read_all_levels(bootloader_t)
|
mls_file_read_all_levels(bootloader_t)
|
||||||
mls_file_write_all_levels(bootloader_t)
|
mls_file_write_all_levels(bootloader_t)
|
||||||
|
|
@ -120,6 +122,9 @@ files_manage_etc_runtime_files(bootloader_t)
|
||||||
files_etc_filetrans_etc_runtime(bootloader_t, file)
|
files_etc_filetrans_etc_runtime(bootloader_t, file)
|
||||||
files_dontaudit_search_home(bootloader_t)
|
files_dontaudit_search_home(bootloader_t)
|
||||||
|
|
||||||
|
fs_list_efivars(bootloader_t)
|
||||||
|
fs_manage_efivarfs_files(bootloader_t)
|
||||||
|
|
||||||
fs_list_hugetlbfs(bootloader_t)
|
fs_list_hugetlbfs(bootloader_t)
|
||||||
fs_mount_fusefs(bootloader_t)
|
fs_mount_fusefs(bootloader_t)
|
||||||
fs_mount_xattr_fs(bootloader_t)
|
fs_mount_xattr_fs(bootloader_t)
|
||||||
|
|
|
||||||
|
|
@ -1982,6 +1982,25 @@ interface(`fs_read_dos_files',`
|
||||||
read_files_pattern($1, dosfs_t, dosfs_t)
|
read_files_pattern($1, dosfs_t, dosfs_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read and map files on a DOS filesystem.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`fs_mmap_read_dos_files',`
|
||||||
|
gen_require(`
|
||||||
|
type dosfs_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
read_files_pattern($1, dosfs_t, dosfs_t)
|
||||||
|
allow $1 dosfs_t:file map;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Create, read, write, and delete files
|
## Create, read, write, and delete files
|
||||||
|
|
@ -2039,6 +2058,26 @@ interface(`fs_read_efivarfs_files',`
|
||||||
read_files_pattern($1, efivarfs_t, efivarfs_t)
|
read_files_pattern($1, efivarfs_t, efivarfs_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Create, read, write, and delete files
|
||||||
|
## on a efivarfs filesystem.
|
||||||
|
## - contains Linux Kernel configuration options for UEFI systems
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`fs_manage_efivarfs_files',`
|
||||||
|
gen_require(`
|
||||||
|
type efivarfs_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
manage_files_pattern($1, efivarfs_t, efivarfs_t)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## stat a FUSE filesystem
|
## stat a FUSE filesystem
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue