From 17ae64af97cffd3af82dd320ef893f7cea5969df Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Wed, 4 Sep 2024 18:30:13 +0200 Subject: [PATCH] Update bootupd policy for unmounted ESP case bootupd needs to check if device exists before mounting it, and then uses "cp -a" to update the bootloader. The commit addresses the following AVC denial: type=AVC msg=audit(1725385838.182:370): avc: denied { getattr } for pid=3034 comm="bootupctl" path="/dev/vda1" dev="devtmpfs" ino=311 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1 type=AVC msg=audit(1725385843.983:373): avc: denied { setfscreate } for pid=3046 comm="cp" scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:system_r:bootupd_t:s0 tclass=process permissive=1 Resolves: https://github.com/fedora-selinux/selinux-policy/issues/2341 --- policy/modules/contrib/bootupd.te | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/policy/modules/contrib/bootupd.te b/policy/modules/contrib/bootupd.te index f4fb56f610..f86ed6efed 100644 --- a/policy/modules/contrib/bootupd.te +++ b/policy/modules/contrib/bootupd.te @@ -20,7 +20,7 @@ files_pid_file(bootupd_var_run_t) # bootupd local policy # allow bootupd_t self:capability { setgid setuid }; -allow bootupd_t self:process { fork setpgid }; +allow bootupd_t self:process { fork setfscreate setpgid }; allow bootupd_t self:fifo_file rw_fifo_file_perms; allow bootupd_t self:unix_dgram_socket create_socket_perms; allow bootupd_t self:unix_stream_socket create_stream_socket_perms; @@ -46,6 +46,8 @@ fs_manage_dos_dirs(bootupd_t) fs_manage_dos_files(bootupd_t) fs_search_efivarfs_dirs(bootupd_t) +storage_getattr_fixed_disk_dev(bootupd_t) + optional_policy(` bootloader_domtrans(bootupd_t) ')