diff options
author | Kenton Groombridge <me@concord.sh> | 2021-04-13 16:48:54 -0400 |
---|---|---|
committer | Jason Zaman <perfinion@gentoo.org> | 2021-09-05 07:16:58 -0700 |
commit | 95ba6dc2388e695c24d2d19f5ce3aa6a6a8951be (patch) | |
tree | 1da15225d0518635886666e1e646fdf12f99bf81 /policy/modules | |
parent | filesystem, init: allow systemd to create pstore dirs (diff) | |
download | hardened-refpolicy-95ba6dc2388e695c24d2d19f5ce3aa6a6a8951be.tar.gz hardened-refpolicy-95ba6dc2388e695c24d2d19f5ce3aa6a6a8951be.tar.bz2 hardened-refpolicy-95ba6dc2388e695c24d2d19f5ce3aa6a6a8951be.zip |
bootloader, devices: dontaudit grub writing on legacy efi variables
Newer versions of grub modify EFI variables on efivarfs. This commit
adds a dontaudit on the legacy /sys/fs/efi/vars files.
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
Diffstat (limited to 'policy/modules')
-rw-r--r-- | policy/modules/admin/bootloader.te | 2 | ||||
-rw-r--r-- | policy/modules/kernel/devices.if | 18 |
2 files changed, 20 insertions, 0 deletions
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index 8bbaed336..c149fd989 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -83,6 +83,8 @@ dev_dontaudit_rw_generic_dev_nodes(bootloader_t) dev_read_rand(bootloader_t) dev_read_urand(bootloader_t) dev_read_sysfs(bootloader_t) +# newer versions of grub use efivarfs to modify EFI variables; dontaudit legacy /sys/fs/efi/vars access +dev_dontaudit_write_sysfs_files(bootloader_t) # needed on some hardware dev_rw_nvram(bootloader_t) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index 19d29c95f..ac72cde12 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -4475,6 +4475,24 @@ interface(`dev_dontaudit_write_sysfs_dirs',` ######################################## ## <summary> +## Do not audit attempts to write to a sysfs file. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`dev_dontaudit_write_sysfs_files',` + gen_require(` + type sysfs_t; + ') + + dontaudit $1 sysfs_t:file write; +') + +######################################## +## <summary> ## Create, read, write, and delete sysfs ## directories. ## </summary> |