commit: fc0dd40ee53f5a1d45ee160db2d3d1e6727bff90
Author: Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Wed Nov 10 17:58:42 2021 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 31 02:40:53 2022 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fc0dd40e
files, init: allow init to remount filesystems mounted on /boot
The context= mount option can be used to label, for example, a DOS
filesystem mounted on boot to be boot_t instead of dosfs_t. Explicitly
allow init (systemd) to remount boot_t filesystems so that options like
ProtectSystem=full work properly.
Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/kernel/files.if | 18 ++++++++++++++++++
policy/modules/system/init.te | 1 +
2 files changed, 19 insertions(+)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index ea29fef3..baedb52e 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -2238,6 +2238,24 @@ interface(`files_mounton_root',`
allow $1 root_t:dir mounton;
')
+########################################
+## <summary>
+## Remount a filesystem mounted on /boot.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_remount_boot',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ allow $1 boot_t:filesystem remount;
+')
+
########################################
## <summary>
## Get attributes of the /boot directory.
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 3f1c7d20..6e1baef9 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -417,6 +417,7 @@ ifdef(`init_systemd',`
files_mounton_tmp(init_t)
files_manage_urandom_seed(init_t)
files_read_boot_files(initrc_t)
+ files_remount_boot(init_t)
files_relabel_all_lock_dirs(init_t)
files_search_all(init_t)
files_unmount_all_file_type_fs(init_t)
