[refpolicy] [PATCH] bootloader: add permissions to read boot files in order to generate a configuration file

[pebenito@ieee.org (Chris PeBenito)]

On 02/07/17 21:13, Jason Zaman via refpolicy wrote:
> On Wed, Feb 08, 2017 at 12:32:32AM +0100, Guido Trentalancia via refpolicy wrote:
>> Allow the bootloader to read boot files in order to generate
>> a configuration file.
>>
>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>
> NACK. this wont work. Just use the patch I posted
> http://oss.tresys.com/pipermail/refpolicy/2017-February/009011.html
> [PATCH v2] bootloader: grub needs to manage grub.cfg and read kernels

I've decided to revert this patch.  A nonfunctional system app like this 
is not acceptable.  I am still open to a change along these lines, 
though arguably because bootloader has raw disk access, it doesn't 
matter much if it can overwrite the kernel via normal file access.


>> ---
>>  policy/modules/admin/bootloader.te |    1 +
>>  1 file changed, 1 insertion(+)
>>
>> diff -pru refpolicy-git-08022017-orig/policy/modules/admin/bootloader.te refpolicy-git-08022017/policy/modules/admin/bootloader.te
>> --- refpolicy-git-08022017-orig/policy/modules/admin/bootloader.te	2016-12-29 22:48:16.446818415 +0100
>> +++ refpolicy-git-08022017/policy/modules/admin/bootloader.te	2017-02-08 00:14:22.923674773 +0100
>> @@ -108,6 +108,7 @@ corecmd_exec_all_executables(bootloader_
>>  domain_use_interactive_fds(bootloader_t)
>>
>>  files_create_boot_dirs(bootloader_t)
>> +files_read_boot_files(bootloader_t)
>>  files_read_etc_files(bootloader_t)
>>  files_read_usr_src_files(bootloader_t)
>>  files_read_usr_files(bootloader_t)
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>


-- 
Chris PeBenito