1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
|
## <summary>Policy for the kernel modules, kernel image, and bootloader.</summary>
########################################
## <summary>
## Execute bootloader in the bootloader domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`bootloader_domtrans',`
gen_require(`
type bootloader_t, bootloader_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, bootloader_exec_t, bootloader_t)
')
########################################
## <summary>
## Execute bootloader interactively and do
## a domain transition to the bootloader domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`bootloader_run',`
gen_require(`
attribute_role bootloader_roles;
')
bootloader_domtrans($1)
roleattribute $2 bootloader_roles;
')
########################################
## <summary>
## Execute bootloader in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`bootloader_exec',`
gen_require(`
type bootloader_exec_t;
')
corecmd_search_bin($1)
can_exec($1, bootloader_exec_t)
')
########################################
## <summary>
## Read the bootloader configuration file.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`bootloader_read_config',`
gen_require(`
type bootloader_etc_t;
')
allow $1 bootloader_etc_t:file read_file_perms;
')
########################################
## <summary>
## Read and write the bootloader
## configuration file.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`bootloader_rw_config',`
gen_require(`
type bootloader_etc_t;
')
allow $1 bootloader_etc_t:file rw_file_perms;
')
########################################
## <summary>
## Read and write the bootloader
## temporary data in /tmp.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`bootloader_rw_tmp_files',`
gen_require(`
type bootloader_tmp_t;
')
files_search_tmp($1)
allow $1 bootloader_tmp_t:file rw_file_perms;
')
########################################
## <summary>
## Create, read and write the bootloader
## runtime data.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`bootloader_create_runtime_file',`
gen_require(`
type boot_runtime_t;
')
allow $1 boot_runtime_t:file { create_file_perms rw_file_perms };
files_boot_filetrans($1, boot_runtime_t, file)
')
|
