diff --git a/grub.patch b/grub.patch new file mode 100644 index 0000000..2f21eff --- /dev/null +++ b/grub.patch @@ -0,0 +1,36 @@ +diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc +index 7a6f06f..e117271 100644 +--- a/policy/modules/admin/bootloader.fc ++++ b/policy/modules/admin/bootloader.fc +@@ -1,9 +1,11 @@ +- ++/etc/default/grub -- gen_context(system_u:object_r:bootloader_etc_t,s0) + /etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0) + /etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0) + +-/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0) ++/sbin/grub.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) ++/sbin/installkernel -- gen_context(system_u:object_r:bootloader_exec_t,s0) + /sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) ++/sbin/new-kernel-pkg -- gen_context(system_u:object_r:bootloader_exec_t,s0) + /sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) + + /usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0) +diff --git a/policy/modules/admin/permissivedomains.te b/policy/modules/admin/permissivedomains.te +index f95087c..e7d705e 100644 +--- a/policy/modules/admin/permissivedomains.te ++++ b/policy/modules/admin/permissivedomains.te +@@ -2,6 +2,14 @@ + + optional_policy(` + gen_require(` ++ type bootloader_t; ++ ') ++ ++ permissive bootloader_t; ++') ++ ++optional_policy(` ++ gen_require(` + type systemd_logger_t; + ') diff --git a/selinux-policy.spec b/selinux-policy.spec index fc940c3..edbd882 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -24,6 +24,7 @@ Source: serefpolicy-%{version}.tgz patch: policy-F16.patch patch1: ephemeral.patch patch2: unconfined_permissive.patch +patch3: grub.patch Source1: modules-targeted.conf Source2: booleans-targeted.conf Source3: Makefile.devel @@ -239,6 +240,7 @@ Based off of reference policy: Checked out revision 2.20091117 %patch -p1 %patch1 -p1 %patch2 -p1 +%patch3 -p1 %install mkdir selinux_config