From fbdf5f0ef896ac94113d1aa3079afde479b6a7fb Mon Sep 17 00:00:00 2001 From: Sven Vermeulen Date: Sat, 22 Nov 2014 22:16:34 +0100 Subject: [PATCH] Run grub(2)-mkconfig in bootloader domain In order to write the grub configuration and perform the preliminary checks, the grub-mkconfig command should run in the bootloader_t domain. As such, update the file context definition to be bootloader_exec_t. --- policy/modules/admin/bootloader.fc | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc index d56f931fc..d908d56a9 100644 --- a/policy/modules/admin/bootloader.fc +++ b/policy/modules/admin/bootloader.fc @@ -9,4 +9,5 @@ /usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0) /usr/sbin/grub2?-bios-setup -- gen_context(system_u:object_r:bootloader_exec_t,s0) /usr/sbin/grub2?-install -- gen_context(system_u:object_r:bootloader_exec_t,s0) +/usr/sbin/grub2?-mkconfig -- gen_context(system_u:object_r:bootloader_exec_t,s0) /usr/sbin/grub2?-probe -- gen_context(system_u:object_r:bootloader_exec_t,s0)