Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Jason Zaman <perfinion@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
Date: Sun, 05 Feb 2017 09:53:43
Message-Id: 1486284323.6071ad267042af00ae73aa58d7c07d5e78a3e0b3.perfinion@gentoo
1 commit: 6071ad267042af00ae73aa58d7c07d5e78a3e0b3
2 Author: Jason Zaman <jason <AT> perfinion <DOT> com>
3 AuthorDate: Sun Feb 5 07:42:30 2017 +0000
4 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5 CommitDate: Sun Feb 5 08:45:23 2017 +0000
6 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6071ad26
7
8 bootloader: grub needs to manage grub.cfg
9
10 commit b0c13980d224c49207315154905eb7fcb90f289d
11 broke grub-mkconfig which needs to be able to update the grub.cfg file.
12 Remove the fcontext for grub.cfg so it can update the file.
13
14 $ grub-mkconfig -o /boot/grub/grub.cfg
15 Generating grub configuration file ...
16 mv: cannot move '/boot/grub/grub.cfg.new' to '/boot/grub/grub.cfg':
17 Permission denied
18
19 type=AVC msg=audit(1486273313.557:26703): avc: denied { unlink } for pid=10757 comm="mv" name="grub.cfg" dev="md1" ino=10070 scontext=staff_u:sysadm_r:bootloader_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bootloader_etc_t:s0 tclass=file permissive=0
20 type=SYSCALL msg=audit(1486273313.557:26703): arch=c000003e syscall=82 success=no exit=-13 a0=3a93725fbef a1=3a93725fc07 a2=0 a3=2 items=4 ppid=9489 pid=10757 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=4 comm="mv" exe="/bin/mv" subj=staff_u:sysadm_r:bootloader_t:s0-s0:c0.c1023 key=(null)
21 type=CWD msg=audit(1486273313.557:26703): cwd="/root"
22 type=PATH msg=audit(1486273313.557:26703): item=0 name="/boot/grub/" inode=10041 dev=09:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bootloader_run_t:s0 nametype=PARENT
23 type=PATH msg=audit(1486273313.557:26703): item=1 name="/boot/grub/" inode=10041 dev=09:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bootloader_run_t:s0 nametype=PARENT
24 type=PATH msg=audit(1486273313.557:26703): item=2 name="/boot/grub/grub.cfg.new" inode=10072 dev=09:01 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:bootloader_run_t:s0 nametype=DELETE
25 type=PATH msg=audit(1486273313.557:26703): item=3 name="/boot/grub/grub.cfg" inode=10070 dev=09:01 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bootloader_etc_t:s0 nametype=DELETE
26
27 policy/modules/admin/bootloader.fc | 3 ---
28 1 file changed, 3 deletions(-)
29
30 diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
31 index c43c428..d62e8e3 100644
32 --- a/policy/modules/admin/bootloader.fc
33 +++ b/policy/modules/admin/bootloader.fc
34 @@ -1,9 +1,6 @@
35 /boot/grub.* -d gen_context(system_u:object_r:bootloader_run_t,s0)
36 /boot/grub.*/.* gen_context(system_u:object_r:bootloader_run_t,s0)
37
38 -/boot/grub.*/grub.cfg -- gen_context(system_u:object_r:bootloader_etc_t,s0)
39 -/boot/grub.*/grub.conf -- gen_context(system_u:object_r:bootloader_etc_t,s0)
40 -
41 /etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
42 /etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
43 /etc/grub.d(/.*)? -- gen_context(system_u:object_r:bootloader_etc_t,s0)
Report Message
Find on MARC Find on Google Groups