bootloader: add rEFInd and systemd-boot
Add EFI bootloaders rEFInd and systemd-boot. Boot tools which manage bootloader files in UEFI (DOS) partition need also to manage UEFI boot variables in efivarfs. Bootctl (systemd-boot tool) verifies the type of EFI file system and needs to mmap() the files. Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
This commit is contained in:
Topi Miettinen
parent
841cce42e8
commit
eae4ecde22
|
|
@ -2,20 +2,28 @@
|
|||
/etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
|
||||
/etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
|
||||
|
||||
/usr/bin/bootctl -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||
/usr/bin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||
/usr/bin/grub2?-bios-setup -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||
/usr/bin/grub2?-install -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||
/usr/bin/grub2?-mkconfig -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||
/usr/bin/grub2?-probe -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||
/usr/bin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||
/usr/bin/mkrlconf -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||
/usr/bin/mvrefind -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||
/usr/bin/refind-install -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||
/usr/bin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||
|
||||
/usr/sbin/bootctl -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||
/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||
/usr/sbin/grub2?-bios-setup -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||
/usr/sbin/grub2?-install -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||
/usr/sbin/grub2?-mkconfig -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||
/usr/sbin/grub2?-probe -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||
/usr/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||
/usr/sbin/mkrlconf -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||
/usr/sbin/mvrefind -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||
/usr/sbin/refind-install -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||
/usr/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||
|
||||
/var/lib/os-prober(/.*)? gen_context(system_u:object_r:bootloader_tmp_t,s0)
|
||||
|
|
|
|||
|
|
@ -86,10 +86,12 @@ dev_read_sysfs(bootloader_t)
|
|||
dev_rw_nvram(bootloader_t)
|
||||
|
||||
fs_getattr_xattr_fs(bootloader_t)
|
||||
fs_getattr_dos_fs(bootloader_t)
|
||||
fs_getattr_tmpfs(bootloader_t)
|
||||
fs_read_tmpfs_symlinks(bootloader_t)
|
||||
#Needed for EFI
|
||||
fs_manage_dos_files(bootloader_t)
|
||||
fs_mmap_read_dos_files(bootloader_t)
|
||||
|
||||
mls_file_read_all_levels(bootloader_t)
|
||||
mls_file_write_all_levels(bootloader_t)
|
||||
|
|
@ -120,6 +122,9 @@ files_manage_etc_runtime_files(bootloader_t)
|
|||
files_etc_filetrans_etc_runtime(bootloader_t, file)
|
||||
files_dontaudit_search_home(bootloader_t)
|
||||
|
||||
fs_list_efivars(bootloader_t)
|
||||
fs_manage_efivarfs_files(bootloader_t)
|
||||
|
||||
fs_list_hugetlbfs(bootloader_t)
|
||||
fs_mount_fusefs(bootloader_t)
|
||||
fs_mount_xattr_fs(bootloader_t)
|
||||
|
|
|
|||
|
|
@ -1982,6 +1982,25 @@ interface(`fs_read_dos_files',`
|
|||
read_files_pattern($1, dosfs_t, dosfs_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and map files on a DOS filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_mmap_read_dos_files',`
|
||||
gen_require(`
|
||||
type dosfs_t;
|
||||
')
|
||||
|
||||
read_files_pattern($1, dosfs_t, dosfs_t)
|
||||
allow $1 dosfs_t:file map;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete files
|
||||
|
|
@ -2039,6 +2058,26 @@ interface(`fs_read_efivarfs_files',`
|
|||
read_files_pattern($1, efivarfs_t, efivarfs_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete files
|
||||
## on a efivarfs filesystem.
|
||||
## - contains Linux Kernel configuration options for UEFI systems
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_manage_efivarfs_files',`
|
||||
gen_require(`
|
||||
type efivarfs_t;
|
||||
')
|
||||
|
||||
manage_files_pattern($1, efivarfs_t, efivarfs_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## stat a FUSE filesystem
|
||||
|
|
|
|||
Loading…
Reference in New Issue