## ## Policy for the kernel modules, kernel image, and bootloader. ######################################## ## ## ## Execute bootloader in the bootloader domain. ## ## ## The type of the process performing this action. ## ## # define(`bootloader_domtrans',` requires_block_template(`$0'_depend) domain_auto_trans($1, bootloader_exec_t, bootloader_t) allow $1 bootloader_t:fd use; allow bootloader_t $1:fd use; allow bootloader_t $1:fifo_file rw_file_perms; allow bootloader_t $1:process sigchld; ') define(`bootloader_domtrans_depend',` type bootloader_t; class file { getattr read execute }; class process { transition noatsecure siginh rlimitinh sigchld }; class fd use; class fifo_file rw_file_perms; ') ######################################## ## ## ## Execute bootloader in the bootloader domain, and ## allow the specified role the bootloader domain, ## and use the caller's terminal. ## ## ## The type of the process performing this action. ## ## ## The role to be allowed the bootloader domain. ## ## ## The type of the terminal allow the bootloader domain to use. ## ## # define(`bootloader_run',` requires_block_template(`$0'_depend) bootloader_transition($1) role $2 types bootloader_t; allow bootloader_t $3:chr_file rw_file_perms; ') define(`bootloader_run_depend',` type bootloader_t; class chr_file rw_file_perms; ') ######################################## # # bootloader_search_bootloader_data_directory(domain) # define(`bootloader_search_bootloader_data_directory',` requires_block_template(`$0'_depend) allow $1 boot_t:dir search; ') define(`bootloader_search_bootloader_data_directory_depend',` type boot_t; class dir search; ') ######################################## # # bootloader_ignore_search_bootloader_data_directory(domain) # define(`bootloader_ignore_search_bootloader_data_directory',` requires_block_template(`$0'_depend) dontaudit $1 boot_t:dir search; ') define(`bootloader_ignore_search_bootloader_data_directory_depend',` type boot_t; class dir search; ') ######################################## # # bootloader_modify_bootloader_data_directory_symbolic_links(domain) # define(`bootloader_modify_bootloader_data_directory_symbolic_links',` requires_block_template(`$0'_depend) allow $1 boot_t:dir r_dir_perms; allow $1 boot_t:lnk_file rw_file_perms; ') define(`bootloader_modify_bootloader_data_directory_symbolic_links_depend',` type boot_t; class dir r_dir_perms; class lnk_file rw_file_perms; ') ######################################## # # bootloader_install_kernel(domain) # define(`bootloader_install_kernel',` requires_block_template(`$0'_depend) allow $1 boot_t:dir ra_dir_perms; allow $1 boot_t:file { getattr read write create }; allow $1 boot_t:lnk_file { getattr read create unlink }; ') define(`bootloader_install_kernel_depend',` type boot_t; class dir ra_dir_perms; class file { getattr read write create }; class lnk_file { getattr read create unlink }; ') ######################################## # # bootloader_install_initrd(domain) # define(`bootloader_install_initrd',` requires_block_template(`$0'_depend) allow $1 boot_t:dir ra_dir_perms; allow $1 boot_t:file { getattr read write create }; allow $1 boot_t:lnk_file { getattr read create unlink }; ') define(`bootloader_install_initrd_depend',` type boot_t; class dir ra_dir_perms; class file { getattr read write create }; class lnk_file { getattr read create unlink }; ') ######################################## # # bootloader_install_kernel_symbol_table(domain) # define(`bootloader_install_kernel_symbol_table',` requires_block_template(`$0'_depend) allow $1 boot_t:dir ra_dir_perms; allow $1 system_map_t:file { rw_file_perms create }; ') define(`bootloader_install_kernel_symbol_table_depend',` type boot_t, system_map_t; class dir ra_dir_perms; class file { rw_file_perms create }; ') ######################################## # # bootloader_read_kernel_symbol_table(domain) # define(`bootloader_read_kernel_symbol_table',` requires_block_template(`$0'_depend) allow $1 boot_t:dir r_dir_perms; allow $1 system_map_t:file f_file_perms; ') define(`bootloader_read_kernel_symbol_table_depend',` type boot_t, system_map_t; class dir r_dir_perms; class file r_file_perms; ') ######################################## # # bootloader_remove_kernel(domain) # define(`bootloader_remove_kernel',` requires_block_template(`$0'_depend) allow $1 boot_t:dir { r_dir_perms write remove_name }; allow $1 boot_t:file { getattr unlink }; ') define(`bootloader_remove_kernel_depend',` type boot_t; class dir { r_dir_perms write remove_name }; class file { getattr unlink }; ') ######################################## # # bootloader_remove_kernel_symbol_table(domain) # define(`bootloader_remove_kernel_symbol_table',` requires_block_template(`$0'_depend) allow $1 boot_t:dir { r_dir_perms write remove_name }; allow $1 system_map_t:file { getattr unlink }; ') define(`bootloader_remove_kernel_symbol_table_depend',` type boot_t, system_map_t; class dir { r_dir_perms write remove_name }; class file { getattr unlink }; ') ######################################## # # bootloader_read_config(domain) # define(`bootloader_read_config',` requires_block_template(`$0'_depend) allow $1 bootloader_etc_t:file r_file_perms; ') define(`bootloader_read_config_depend',` type bootloader_etc_t; class file r_file_perms; ') ######################################## # # bootloader_rw_config(domain) # define(`bootloader_rw_bootloader_config',` requires_block_template(`$0'_depend) allow $1 bootloader_etc_t:file rw_file_perms; ') define(`bootloader_rw_bootloader_config_depend',` type bootloader_etc_t; class file rw_file_perms; ') ######################################## # # bootloader_rw_temp_data(domain) # define(`bootloader_rw_temp_data',` requires_block_template(`$0'_depend) # FIXME: read tmp_t allow $1 bootloader_tmp_t:file rw_file_perms; ') define(`bootloader_rw_temp_data_depend',` type bootloader_tmp_t; class file rw_file_perms; ') ######################################## # # bootloader_create_runtime_data(domain) # define(`bootloader_create_runtime_data',` requires_block_template(`$0'_depend) allow $1 boot_t:dir rw_dir_perms; allow $1 boot_runtime_t:file { rw_file_perms create unlink }; type_transition $1 boot_t:file boot_runtime_t; ') define(`bootloader_create_runtime_data_depend',` type boot_t, boot_runtime_t; class dir rw_dir_perms; class file { rw_file_perms create unlink }; ') ######################################## # # bootloader_list_kernel_modules(domain) # define(`bootloader_list_kernel_modules',` requires_block_template(`$0'_depend) allow $1 modules_object_t:dir r_dir_perms; ') define(`bootloader_list_kernel_modules_depend',` type modules_object_t; class dir r_dir_perms; ') ######################################## # # bootloader_read_kernel_modules(domain) # define(`bootloader_read_kernel_modules',` requires_block_template(`$0'_depend) allow $1 modules_object_t:dir r_dir_perms; allow $1 modules_object_t:lnk_file r_file_perms; allow $1 modules_object_t:file r_file_perms; ') define(`bootloader_read_kernel_modules_depend',` type modules_object_t; class dir r_dir_perms; class lnk_file r_file_perms; class file r_file_perms; ') ######################################## # # bootloader_write_kernel_modules(domain) # define(`bootloader_write_kernel_modules',` requires_block_template(`$0'_depend) allow $1 modules_object_t:dir r_dir_perms; allow $1 modules_object_t:file write; typeattribute $1 can_modify_kernel_modules; ') define(`bootloader_write_kernel_modules_depend',` attribute can_modify_kernel_modules; type modules_object_t; class dir r_dir_perms; class file write; ') ######################################## # # bootloader_manage_kernel_modules(domain) # define(`bootloader_manage_kernel_modules',` requires_block_template(`$0'_depend) allow $1 modules_object_t:file { rw_file_perms create setattr unlink }; allow $1 modules_object_t:dir rw_dir_perms; typeattribute $1 can_modify_kernel_modules; ') define(`bootloader_manage_kernel_modules_depend',` attribute can_modify_kernel_modules; type modules_object_t; class file { getattr create read write setattr unlink }; class dir rw_dir_perms; ') ######################################## # # bootloader_create_private_module_dir_entry(domain,privatetype,[class(es)]) # define(`bootloader_create_private_module_dir_entry',` requires_block_template(`$0'_depend) allow $1 modules_object_t:dir { getattr search read write add_name remove_name }; # if a class is specified use it, else use file as default ifelse(`$3',`',` type_transition $1 modules_object_t:file $2; ',` type_transition $1 modules_object_t:$3 $2; ') ') define(`bootloader_create_private_module_dir_entry_depend',` type modules_object_t; class dir { getattr search read write add_name remove_name }; ') ##