commit: fc0dd40ee53f5a1d45ee160db2d3d1e6727bff90 Author: Kenton Groombridge <me <AT> concord <DOT> sh> AuthorDate: Wed Nov 10 17:58:42 2021 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Thu Mar 31 02:40:53 2022 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fc0dd40e
files, init: allow init to remount filesystems mounted on /boot The context= mount option can be used to label, for example, a DOS filesystem mounted on boot to be boot_t instead of dosfs_t. Explicitly allow init (systemd) to remount boot_t filesystems so that options like ProtectSystem=full work properly. Signed-off-by: Kenton Groombridge <me <AT> concord.sh> Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> policy/modules/kernel/files.if | 18 ++++++++++++++++++ policy/modules/system/init.te | 1 + 2 files changed, 19 insertions(+) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index ea29fef3..baedb52e 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -2238,6 +2238,24 @@ interface(`files_mounton_root',` allow $1 root_t:dir mounton; ') +######################################## +## <summary> +## Remount a filesystem mounted on /boot. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_remount_boot',` + gen_require(` + type boot_t; + ') + + allow $1 boot_t:filesystem remount; +') + ######################################## ## <summary> ## Get attributes of the /boot directory. diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 3f1c7d20..6e1baef9 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -417,6 +417,7 @@ ifdef(`init_systemd',` files_mounton_tmp(init_t) files_manage_urandom_seed(init_t) files_read_boot_files(initrc_t) + files_remount_boot(init_t) files_relabel_all_lock_dirs(init_t) files_search_all(init_t) files_unmount_all_file_type_fs(init_t)