> To fix, I'd suggest adding getattr to any allow rule where read
> permission is granted in bootloader.te, or replacing uses of "read" with
> the r_file_perms macro.
The attached patch is needed to make it complete. However this is something
we may want to reconsider, currently we don't include policy in the initrd so
bootloader_t has no need to read it.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--- /usr/src/se/policy/domains/program/unused/bootloader.te 2004-07-17 11:30:39.000000000 +1000
+++ domains/program/unused/bootloader.te 2004-07-17 11:37:24.000000000 +1000
@@ -138,7 +138,7 @@
allow bootloader_t memory_device_t:chr_file r_file_perms;
allow bootloader_t policy_config_t:dir { search read };
-allow bootloader_t policy_config_t:file read;
+allow bootloader_t policy_config_t:file { getattr read };
allow bootloader_t lib_t:file { getattr read };
allow bootloader_t sysfs_t:dir getattr;
