fs, init: allow systemd-init to set the attributes of efivarfs files

avc: denied { setattr } for pid=1 comm="systemd" name="LoaderSystemToken-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f" dev="efivarfs" ino=1049 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=0 Signed-off-by: Kenton Groombridge <me@concord.sh>
2023-03-06 19:19:51 -05:00 · 2023-03-06 19:19:51 -05:00 · 104e2014ea
commit 104e2014ea
parent 48af8ca656
2 changed files with 21 additions and 0 deletions
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@ -2439,6 +2439,26 @@ interface(`fs_read_efivarfs_files',`
 	read_files_pattern($1, efivarfs_t, efivarfs_t)
 ')

+#######################################
+## <summary>
+##      Set the attributes of files in efivarfs
+##      - contains Linux Kernel configuration options for UEFI systems
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_setattr_efivarfs_files',`
+	gen_require(`
+		type efivarfs_t;
+	')
+
+	setattr_files_pattern($1, efivarfs_t, efivarfs_t)
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete files
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@ -463,6 +463,7 @@ ifdef(`init_systemd',`
 	fs_relabel_tmpfs_chr_files(init_t)
 	fs_relabel_tmpfs_fifo_files(init_t)
 	fs_read_efivarfs_files(init_t)
+	fs_setattr_efivarfs_files(init_t)
 	# for privatetmp functions
 	fs_relabel_tmpfs_dirs(init_t)
 	fs_relabel_tmpfs_files(init_t)