bootloader: allow systemd-boot to manage EFI binaries

systemd-boot's bootctl utility is used to install and update its EFI binaries in the EFI partition. If it is mounted with boot_t, bootctl needs to be able to manage boot_t files. Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-05-06 16:31:46 -04:00 · 2024-05-06 16:31:46 -04:00 · 3dba91dd48
parent ddf395d5d4
commit 3dba91dd48
2 changed files with 23 additions and 0 deletions
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@ -225,6 +225,10 @@ ifdef(`init_systemd',`
 	fs_getattr_cgroup(bootloader_t)
 	init_read_state(bootloader_t)
 	init_rw_inherited_stream_socket(bootloader_t)
+
+	# for systemd-boot-update to manage EFI binaries
+	domain_obj_id_change_exemption(bootloader_t)
+	files_mmap_read_boot_files(bootloader_t)
 ')

 optional_policy(`
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@ -2588,6 +2588,25 @@ interface(`files_read_boot_files',`
 	read_files_pattern($1, boot_t, boot_t)
 ')

+########################################
+## <summary>
+##	Read and memory map files in the /boot directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_mmap_read_boot_files',`
+	gen_require(`
+		type boot_t;
+	')
+
+	mmap_read_files_pattern($1, boot_t, boot_t)
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete files