bootloader from Russell Coker.

This patch adds a lot of policy that is needed to setup an initramfs and grub
on Debian nowadays.

Also changed a comment about ia64 to correctly mention EFI.

policy/modules/admin/bootloader.te

@@ -1,4 +1,4 @@
-policy_module(bootloader, 1.17.4)
+policy_module(bootloader, 1.17.5)
 
 ########################################
 #
@@ -41,7 +41,7 @@ dev_node(bootloader_tmp_t)
 # bootloader local policy
 #
 
-allow bootloader_t self:capability { chown dac_override dac_read_search fsetid mknod sys_admin sys_rawio };
+allow bootloader_t self:capability { chown dac_override dac_read_search fsetid mknod setgid sys_admin sys_rawio };
 allow bootloader_t self:process { signal_perms execmem };
 allow bootloader_t self:fifo_file rw_fifo_file_perms;
 
@@ -56,6 +56,7 @@ manage_lnk_files_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t)
 manage_blk_files_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t)
 manage_chr_files_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t)
 files_tmp_filetrans(bootloader_t, bootloader_tmp_t, { dir file lnk_file chr_file blk_file })
+allow bootloader_t bootloader_tmp_t:dir mounton;
 # for tune2fs (cjp: ?)
 files_root_filetrans(bootloader_t, bootloader_tmp_t, file)
 
@@ -64,11 +65,16 @@ kernel_read_network_state(bootloader_t)
 kernel_read_system_state(bootloader_t)
 kernel_read_software_raid_state(bootloader_t)
 kernel_read_kernel_sysctls(bootloader_t)
+kernel_search_debugfs(bootloader_t)
+kernel_setsched(bootloader_t)
+# for grub-probe
+kernel_request_load_module(bootloader_t)
 
 storage_raw_read_fixed_disk(bootloader_t)
 storage_raw_write_fixed_disk(bootloader_t)
 storage_raw_read_removable_device(bootloader_t)
 storage_raw_write_removable_device(bootloader_t)
+storage_rw_fuse(bootloader_t)
 
 dev_getattr_all_chr_files(bootloader_t)
 dev_getattr_all_blk_files(bootloader_t)
@@ -82,7 +88,7 @@ dev_rw_nvram(bootloader_t)
 fs_getattr_xattr_fs(bootloader_t)
 fs_getattr_tmpfs(bootloader_t)
 fs_read_tmpfs_symlinks(bootloader_t)
-#Needed for ia64
+#Needed for EFI
 fs_manage_dos_files(bootloader_t)
 
 mls_file_read_all_levels(bootloader_t)
@@ -104,6 +110,7 @@ files_read_usr_src_files(bootloader_t)
 files_read_usr_files(bootloader_t)
 files_read_var_files(bootloader_t)
 files_read_kernel_modules(bootloader_t)
+files_search_mnt(bootloader_t)
 # for nscd
 files_dontaudit_search_pids(bootloader_t)
 # for blkid.tab
@@ -111,6 +118,17 @@ files_manage_etc_runtime_files(bootloader_t)
 files_etc_filetrans_etc_runtime(bootloader_t, file)
 files_dontaudit_search_home(bootloader_t)
 
+fs_mount_fusefs(bootloader_t)
+fs_mount_xattr_fs(bootloader_t)
+fs_mounton_fusefs(bootloader_t)
+fs_read_fusefs_symlinks(bootloader_t)
+fs_read_fusefs_files(bootloader_t)
+fs_getattr_fusefs(bootloader_t)
+fs_unmount_fusefs(bootloader_t)
+fs_unmount_xattr_fs(bootloader_t)
+
+fstools_manage_runtime_files(bootloader_t)
+
 init_getattr_initctl(bootloader_t)
 init_use_script_ptys(bootloader_t)
 init_use_script_fds(bootloader_t)
@@ -124,10 +142,14 @@ logging_rw_generic_logs(bootloader_t)
 
 miscfiles_read_localization(bootloader_t)
 
+mount_rw_runtime_files(bootloader_t)
+
 seutil_read_bin_policy(bootloader_t)
 seutil_read_loadpolicy(bootloader_t)
 seutil_dontaudit_search_config(bootloader_t)
 
+udev_read_pid_files(bootloader_t)
+
 userdom_use_user_terminals(bootloader_t)
 userdom_dontaudit_search_user_home_dirs(bootloader_t)
 
@@ -153,6 +175,7 @@ ifdef(`distro_debian',`
 	apt_read_cache(bootloader_t)
 
 	dpkg_read_db(bootloader_t)
+	dpkg_rw_pipes(bootloader_t)
 ')
 
 ifdef(`distro_redhat',`

policy/modules/kernel/filesystem.if

@@ -1952,6 +1952,24 @@ interface(`fs_read_eventpollfs',`
 	refpolicywarn(`$0($*) has been deprecated.')
 ')
 
+########################################
+## <summary>
+##	stat a FUSE filesystem
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_fusefs',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	allow $1 fusefs_t:filesystem getattr;
+')
+
 ########################################
 ## <summary>
 ##	Mount a FUSE filesystem.

policy/modules/kernel/filesystem.te

@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.22.7)
+policy_module(filesystem, 1.22.8)
 
 ########################################
 #

policy/modules/system/fstools.if

@@ -155,6 +155,25 @@ interface(`fstools_manage_entry_files',`
 	allow $1 fsadm_exec_t:file manage_file_perms;
 ')
 
+########################################
+## <summary>
+##	Create, read, write, and delete filesystem tools
+##	runtime files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fstools_manage_runtime_files',`
+	gen_require(`
+		type fsadm_run_t;
+	')
+
+	manage_files_pattern($1, fsadm_run_t, fsadm_run_t)
+')
+
 ########################################
 ## <summary>
 ##	Getattr swapfile

policy/modules/system/fstools.te

@@ -1,4 +1,4 @@
-policy_module(fstools, 1.20.3)
+policy_module(fstools, 1.20.4)
 
 ########################################
 #

policy/modules/system/mount.if

@@ -209,3 +209,22 @@ interface(`mount_rw_loopback_files',`
 
 	allow $1 mount_loopback_t:file rw_file_perms;
 ')
+
+########################################
+## <summary>
+##	Read and write mount runtime files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mount_rw_runtime_files',`
+	gen_require(`
+		type mount_runtime_t;
+	')
+
+	rw_files_pattern($1, mount_runtime_t, mount_runtime_t)
+')
+

policy/modules/system/mount.te

@@ -1,4 +1,4 @@
-policy_module(mount, 1.19.1)
+policy_module(mount, 1.19.2)
 
 ########################################
 #