diff options
-rw-r--r-- | policy/modules/admin/bootloader.te | 4 | ||||
-rw-r--r-- | policy/modules/kernel/files.if | 19 |
2 files changed, 23 insertions, 0 deletions
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index 294ce7e0..81748a5f 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -225,6 +225,10 @@ ifdef(`init_systemd',` fs_getattr_cgroup(bootloader_t) init_read_state(bootloader_t) init_rw_inherited_stream_socket(bootloader_t) + + # for systemd-boot-update to manage EFI binaries + domain_obj_id_change_exemption(bootloader_t) + files_mmap_read_boot_files(bootloader_t) ') optional_policy(` diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index e0337d04..b9c45132 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -2592,6 +2592,25 @@ interface(`files_read_boot_files',` ######################################## ## <summary> +## Read and memory map files in the /boot directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`files_mmap_read_boot_files',` + gen_require(` + type boot_t; + ') + + mmap_read_files_pattern($1, boot_t, boot_t) +') + +######################################## +## <summary> ## Create, read, write, and delete files ## in the /boot directory. ## </summary> |