On Sat, 12 Jun 2004 21:34, David Balazic <david.balazic@xxxxxxxxx> wrote:
> grub fails with the default root root:sysadm_r:sysadm_t :
>
> [root@localhost root]# grub
> Probing devices to guess BIOS drives. This may take a long time.
> audit(1086973995.955:0): avc: denied { read } for pid=2576
> exe=/sbin/grub name=linux dev=hde2 ino=148612
> scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:usr_t
> tclass=file
> Error opening terminal: linux.
> [root@localhost root]#
I've attached a modified bootloader.te to allow that.
> it works with [2] root:staff_r:staff_t
>
> grub-install does not work at all :
>
> [root@localhost root]# grub-install /dev/hde # this is
> root:staff_r:staff_t audit(1086974024.461:0): avc: denied { write } for
> pid=3140 exe=/bin/rm name=grub dev=hde1 ino=9841
> scontext=root:staff_r:staff_t
> tcontext=system_u:object_r:boot_t tclass=dir
> rm: cannot remove `/boot/grub/stage1': Permission denied
> [root@localhost root]#
It is not designed that you will run grub as staff_r.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
#DESC Bootloader - Lilo boot loader/manager
#
# Author: Russell Coker <russell@xxxxxxxxxxxx>
# X-Debian-Packages: lilo
#
#################################
#
# Rules for the bootloader_t domain.
#
# bootloader_exec_t is the type of the bootloader executable.
#
type bootloader_t, domain, privlog, privmem, fs_domain;
type bootloader_exec_t, file_type, sysadmfile, exec_type;
etc_domain(bootloader)
typealias bootloader_etc_t alias etc_bootloader_t;
role sysadm_r types bootloader_t;
role system_r types bootloader_t;
allow bootloader_t var_t:dir search;
create_append_log_file(bootloader_t, var_log_t)
allow bootloader_t var_log_t:file write;
# for nscd
dontaudit bootloader_t var_run_t:dir search;
domain_auto_trans(sysadm_t, bootloader_exec_t, bootloader_t)
allow bootloader_t { initrc_t privfd }:fd use;
tmp_domain(bootloader)
allow bootloader_t bootloader_tmp_t:devfile_class_set create_file_perms;
read_locale(bootloader_t)
# for tune2fs
file_type_auto_trans(bootloader_t, root_t, bootloader_tmp_t, file)
# for /vmlinuz sym link
allow bootloader_t root_t:lnk_file read;
allow bootloader_t { etc_t device_t }:dir r_dir_perms;
allow bootloader_t etc_t:file r_file_perms;
allow bootloader_t etc_t:lnk_file read;
uses_shlib(bootloader_t)
allow bootloader_t { fixed_disk_device_t removable_device_t }:blk_file rw_file_perms;
# LVM2 / Device Mapper's /dev/mapper/control
# maybe we should change the labeling for this
ifdef(`lvm.te', `
allow bootloader_t lvm_control_t:chr_file rw_file_perms;
domain_auto_trans(bootloader_t, lvm_exec_t, lvm_t)
r_dir_file(bootloader_t, lvm_etc_t)
')
# uncomment the following line if you use "lilo -p"
#file_type_auto_trans(bootloader_t, etc_t, bootloader_etc_t, file);
can_exec(bootloader_t, { bootloader_exec_t shell_exec_t ls_exec_t bin_t sbin_t })
allow bootloader_t shell_exec_t:lnk_file read;
allow bootloader_t { bin_t sbin_t }:dir search;
allow bootloader_t { bin_t sbin_t }:lnk_file read;
allow bootloader_t { modules_dep_t modules_object_t }:file read;
dontaudit bootloader_t modules_dep_t:file ioctl;
allow bootloader_t modules_object_t:dir { read search };
allow bootloader_t modules_conf_t:file read;
# for ldd
ifdef(`fsadm.te', `
allow bootloader_t fsadm_exec_t:file { rx_file_perms execute_no_trans };
')
ifdef(`modutil.te', `
allow bootloader_t insmod_exec_t:file { rx_file_perms execute_no_trans };
')
dontaudit bootloader_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
allow bootloader_t boot_t:dir { create rw_dir_perms };
allow bootloader_t boot_t:{ file lnk_file } create_file_perms;
allow bootloader_t load_policy_exec_t:file { getattr read };
allow bootloader_t random_device_t:chr_file { getattr read };
ifdef(`rpm.te', `
# for mke2fs
domain_auto_trans(bootloader_t, mount_exec_t, mount_t);
allow mount_t bootloader_tmp_t:dir mounton;
# new file system defaults to file_t, granting file_t access is still bad.
allow bootloader_t file_t:dir create_dir_perms;
allow bootloader_t file_t:{ file lnk_file blk_file chr_file } create_file_perms;
allow bootloader_t self:unix_stream_socket create_socket_perms;
allow bootloader_t boot_runtime_t:file { read getattr unlink };
# for memlock
allow bootloader_t zero_device_t:chr_file { getattr read };
allow bootloader_t self:capability ipc_lock;
')
allow bootloader_t self:capability { fsetid sys_rawio sys_admin mknod chown };
# allow bootloader to get attributes of any device node
allow bootloader_t file_type:dir_file_class_set getattr;
dontaudit bootloader_t devpts_t:dir create_dir_perms;
allow bootloader_t self:process { fork signal_perms };
allow bootloader_t self:lnk_file read;
allow bootloader_t self:dir search;
allow bootloader_t self:file { getattr read };
allow bootloader_t self:fifo_file rw_file_perms;
allow bootloader_t fs_t:filesystem getattr;
allow bootloader_t proc_t:dir { getattr search };
allow bootloader_t proc_t:file r_file_perms;
allow bootloader_t proc_t:lnk_file { getattr read };
allow bootloader_t self:dir { getattr search read };
allow bootloader_t sysctl_kernel_t:dir search;
allow bootloader_t sysctl_kernel_t:file { getattr read };
allow bootloader_t etc_runtime_t:file r_file_perms;
allow bootloader_t devtty_t:chr_file rw_file_perms;
allow bootloader_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
allow bootloader_t initrc_t:fifo_file { read write };
ifdef(`dpkg.te', `
# for making an initrd
can_exec(bootloader_t, mount_exec_t)
ifdef(`chroot.te', `
can_exec(bootloader_t, chroot_exec_t)
')dnl end chroot.te
')dnl end dpkg.te
# for reading BIOS data
allow bootloader_t memory_device_t:chr_file r_file_perms;
allow bootloader_t policy_config_t:dir { search read };
allow bootloader_t policy_config_t:file read;
allow bootloader_t lib_t:file { getattr read };
allow bootloader_t sysfs_t:dir getattr;
allow bootloader_t urandom_device_t:chr_file read;
allow bootloader_t { usr_t var_t }:file { getattr read };
r_dir_file(bootloader_t, src_t)
