1
#DESC Bootloader - Lilo boot loader/manager
3
# Author: Russell Coker <russell@coker.com.au>
4
# X-Debian-Packages: lilo
7
#################################
9
# Rules for the bootloader_t domain.
11
# bootloader_exec_t is the type of the bootloader executable.
13
type bootloader_t, domain, privlog, privmem, fs_domain;
14
type bootloader_exec_t, file_type, sysadmfile, exec_type;
15
etc_domain(bootloader)
16
typealias bootloader_etc_t alias etc_bootloader_t;
18
role sysadm_r types bootloader_t;
19
role system_r types bootloader_t;
21
allow bootloader_t var_t:dir search;
22
create_append_log_file(bootloader_t, var_log_t)
23
allow bootloader_t var_log_t:file write;
26
dontaudit bootloader_t var_run_t:dir search;
28
domain_auto_trans(sysadm_t, bootloader_exec_t, bootloader_t)
29
allow bootloader_t { initrc_t privfd }:fd use;
31
tmp_domain(bootloader)
32
allow bootloader_t bootloader_tmp_t:devfile_class_set create_file_perms;
34
read_locale(bootloader_t)
37
file_type_auto_trans(bootloader_t, root_t, bootloader_tmp_t, file)
39
# for /vmlinuz sym link
40
allow bootloader_t root_t:lnk_file read;
42
allow bootloader_t { etc_t device_t }:dir r_dir_perms;
43
allow bootloader_t etc_t:file r_file_perms;
44
allow bootloader_t etc_t:lnk_file read;
45
uses_shlib(bootloader_t)
47
allow bootloader_t { fixed_disk_device_t removable_device_t }:blk_file rw_file_perms;
49
# LVM2 / Device Mapper's /dev/mapper/control
50
# maybe we should change the labeling for this
52
role system_r types lvm_t;
53
allow bootloader_t lvm_control_t:chr_file rw_file_perms;
54
domain_auto_trans(bootloader_t, lvm_exec_t, lvm_t)
55
r_dir_file(bootloader_t, lvm_etc_t)
58
# uncomment the following line if you use "lilo -p"
59
#file_type_auto_trans(bootloader_t, etc_t, bootloader_etc_t, file);
61
can_exec(bootloader_t, { bootloader_exec_t shell_exec_t ls_exec_t bin_t sbin_t })
62
allow bootloader_t shell_exec_t:lnk_file read;
63
allow bootloader_t { bin_t sbin_t }:dir search;
64
allow bootloader_t { bin_t sbin_t }:lnk_file read;
66
allow bootloader_t { modules_dep_t modules_object_t }:file read;
67
dontaudit bootloader_t modules_dep_t:file ioctl;
68
allow bootloader_t modules_object_t:dir { read search };
69
allow bootloader_t modules_conf_t:file read;
73
allow bootloader_t fsadm_exec_t:file { rx_file_perms execute_no_trans };
76
allow bootloader_t insmod_exec_t:file { rx_file_perms execute_no_trans };
79
dontaudit bootloader_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
81
allow bootloader_t boot_t:dir rw_dir_perms;
82
allow bootloader_t boot_t:{ file lnk_file } create_file_perms;
84
allow bootloader_t load_policy_exec_t:file { getattr read };
86
allow bootloader_t random_device_t:chr_file { getattr read };
90
domain_auto_trans(bootloader_t, mount_exec_t, mount_t);
91
allow mount_t bootloader_tmp_t:dir mounton;
93
# new file system defaults to file_t, granting file_t access is still bad.
94
allow bootloader_t file_t:dir create_dir_perms;
95
allow bootloader_t file_t:{ file lnk_file blk_file chr_file } create_file_perms;
96
allow bootloader_t self:unix_stream_socket create_socket_perms;
97
allow bootloader_t boot_runtime_t:file { read getattr unlink };
100
allow bootloader_t zero_device_t:chr_file { getattr read };
101
allow bootloader_t self:capability ipc_lock;
104
allow bootloader_t self:capability { fsetid sys_rawio sys_admin mknod chown };
105
# allow bootloader to get attributes of any device node
106
allow bootloader_t file_type:dir_file_class_set getattr;
107
dontaudit bootloader_t devpts_t:dir create_dir_perms;
109
allow bootloader_t self:process { fork signal_perms };
110
allow bootloader_t self:lnk_file read;
111
allow bootloader_t self:dir search;
112
allow bootloader_t self:file { getattr read };
113
allow bootloader_t self:fifo_file rw_file_perms;
115
allow bootloader_t fs_t:filesystem getattr;
117
allow bootloader_t proc_t:dir { getattr search };
118
allow bootloader_t proc_t:file r_file_perms;
119
allow bootloader_t proc_t:lnk_file { getattr read };
120
allow bootloader_t self:dir { getattr search read };
121
allow bootloader_t sysctl_kernel_t:dir search;
122
allow bootloader_t sysctl_kernel_t:file { getattr read };
123
allow bootloader_t etc_runtime_t:file r_file_perms;
125
allow bootloader_t devtty_t:chr_file rw_file_perms;
126
allow bootloader_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
127
allow bootloader_t initrc_t:fifo_file { read write };
130
# for making an initrd
131
can_exec(bootloader_t, mount_exec_t)
133
can_exec(bootloader_t, chroot_exec_t)
137
# for reading BIOS data
138
allow bootloader_t memory_device_t:chr_file r_file_perms;
140
allow bootloader_t policy_config_t:dir { search read };
141
allow bootloader_t policy_config_t:file read;
143
allow bootloader_t lib_t:file { getattr read };
144
allow bootloader_t sysfs_t:dir getattr;
145
allow bootloader_t urandom_device_t:chr_file read;
146
allow bootloader_t var_t:file { getattr read };
147
r_dir_file(bootloader_t, src_t)