fs, init: allow systemd-init to set the attributes of efivarfs files

avc:  denied  { setattr } for  pid=1 comm="systemd" name="LoaderSystemToken-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f" dev="efivarfs" ino=1049 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=0

Signed-off-by: Kenton Groombridge <me@concord.sh>
This commit is contained in:
Kenton Groombridge 2023-03-06 19:19:51 -05:00
parent 48af8ca656
commit 104e2014ea
2 changed files with 21 additions and 0 deletions

View File

@ -2439,6 +2439,26 @@ interface(`fs_read_efivarfs_files',`
read_files_pattern($1, efivarfs_t, efivarfs_t)
')
#######################################
## <summary>
## Set the attributes of files in efivarfs
## - contains Linux Kernel configuration options for UEFI systems
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`fs_setattr_efivarfs_files',`
gen_require(`
type efivarfs_t;
')
setattr_files_pattern($1, efivarfs_t, efivarfs_t)
')
########################################
## <summary>
## Create, read, write, and delete files

View File

@ -463,6 +463,7 @@ ifdef(`init_systemd',`
fs_relabel_tmpfs_chr_files(init_t)
fs_relabel_tmpfs_fifo_files(init_t)
fs_read_efivarfs_files(init_t)
fs_setattr_efivarfs_files(init_t)
# for privatetmp functions
fs_relabel_tmpfs_dirs(init_t)
fs_relabel_tmpfs_files(init_t)