[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/admin/

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     733eef5b0f9b79c0b8dd2b5a9ea4020cc0c765f7
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Oct 12 08:40:53 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Oct 12 08:40:53 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=733eef5b

Allow sudo to create /var/run/sudo if non-existing

When sudo is invoked and the /var/run/sudo directory (in which a ts/
subdirectory would be created and managed by sudo) is not available yet,
sudo will try to create it.

Grant it this privilege and have this directory be labeled as
pam_var_run_t.

Without this, we get:
sudo: unable to mkdir /var/run/sudo: Permission denied

---
 policy/modules/admin/sudo.if | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index d9114b3..b282877 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -160,6 +160,9 @@ template(`sudo_role_template',`
 		fprintd_dbus_chat($1_sudo_t)
 	')
 
+	ifdef(`distro_gentoo',`
+		auth_pid_filetrans_pam_var_run($1_sudo_t, dir, "sudo")
+	')
 ')
 
 ########################################

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     67ee9d7026c6e3887eb590811aa1291682945840
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Oct 12 08:56:22 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Oct 12 08:56:22 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=67ee9d70

Allow setting ownership of ts/ directory

When creating the ts/ directory (in which sudo keeps timestamps), allow
the sudo application to set ownership.

No errors involved (only denial) but the end result is different (group
ownership is different, even though there is no group privilege).

---
 policy/modules/admin/sudo.if | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index b282877..58c456b 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -161,6 +161,9 @@ template(`sudo_role_template',`
 	')
 
 	ifdef(`distro_gentoo',`
+		# Set ownership of ts directory (timestamp keeping)
+		allow $1_sudo_t self:capability { chown };
+		# Create /var/run/sudo
 		auth_pid_filetrans_pam_var_run($1_sudo_t, dir, "sudo")
 	')
 ')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     364faaa731277dee24837e0781cb3cc520f36406
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Nov 22 17:28:47 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 22 17:28:47 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=364faaa7

Add upstream feedback when sent but needs some work

---
 policy/modules/admin/usermanage.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 4855693..e11f53a 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -571,11 +571,13 @@ ifdef(`distro_gentoo',`
 	# groupadd_t
 
 	# fix bug #499036
+	# Upstream: http://oss.tresys.com/pipermail/refpolicy/2014-April/007058.html
 	allow groupadd_t self:netlink_selinux_socket { create bind };
 
 	########################################
 	# useradd_t
 
 	# fix bug #499036
+	# Upstream: http://oss.tresys.com/pipermail/refpolicy/2014-April/007058.html
 	allow useradd_t self:netlink_selinux_socket { create bind };
 ')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     4d16571c5e3d0449b38cdd8619db04e93526fcf9
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Nov 27 22:22:02 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Nov 27 22:22:02 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4d16571c

Missing quote

---
 policy/modules/admin/dmesg.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/admin/dmesg.if b/policy/modules/admin/dmesg.if
index 1b6e1b2..6271b3c 100644
--- a/policy/modules/admin/dmesg.if
+++ b/policy/modules/admin/dmesg.if
@@ -58,7 +58,7 @@ interface(`dmesg_exec',`
 ## </param>
 ## <rolecap/>
 #
-interface(`dmesg_run,`
+interface(`dmesg_run',`
 	gen_require(`
 		type dmesg_t;
 	')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/admin/

[Jason Zaman]

commit:     6021047ffb0b923335185c9a879a7ebb994acedb
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Jan 25 14:03:05 2015 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Sun Jan 25 14:03:05 2015 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6021047f

Fix bug #537652 - Allow grub2-mkconfig to be executed from the user home dir (default location when executing commands for a user)

---
 policy/modules/admin/bootloader.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index 197791f..fcaa6d4 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -208,3 +208,8 @@ optional_policy(`
 optional_policy(`
 	rpm_rw_pipes(bootloader_t)
 ')
+
+ifdef(`distro_gentoo',`
+	# Fix bug #537652 - grub2-mkconfig has search rights needed on current dir (usually user home dir)
+	userdom_search_user_home_dirs(bootloader_t)
+')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     abcbaf9dd3597c68f75999fb3f755dd4c158e3d4
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Jun  7 09:19:00 2015 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jun  7 09:19:00 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=abcbaf9d

Fix bug 535988 - Do not audit device reads when invoking tcpdump

Occurs when invoking tcpdump without any options:

~# tcpdump

Denials:

time->Sun Jun  7 10:52:50 2015
type=AVC msg=audit(1433667170.527:83): avc:  denied  { read } for
pid=17708 comm="tcpdump" name="usbmon4" dev="devtmpfs" ino=163
scontext=staff_u:sysadm_r:netutils_t:s0
tcontext=system_u:object_r:usbmon_device_t:s0 tclass=chr_file
permissive=0

time->Sun Jun  7 10:52:50 2015
type=AVC msg=audit(1433667170.527:84): avc:  denied  { search } for
pid=17708 comm="tcpdump" name="/" dev="debugfs" ino=1
scontext=staff_u:sysadm_r:netutils_t:s0
tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=0

X-Gentoo-Bug: 535988

 policy/modules/admin/netutils.te | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index b8169a8..54e1603 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -216,3 +216,14 @@ userdom_use_user_terminals(traceroute_t)
 dev_read_rand(traceroute_t)
 dev_read_urand(traceroute_t)
 files_read_usr_files(traceroute_t)
+
+ifdef(`distro_gentoo',`
+	########################################
+	# 
+	# netutils_t policy updates
+	#
+
+	# Fix bug 535988
+	kernel_dontaudit_search_debugfs(netutils_t)
+	dev_dontaudit_read_usbmon_dev(netutils_t)	
+')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     4835f7f1d0a050d045335d19505e8113de883dfa
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Jun  9 10:45:03 2015 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Jun  9 10:45:03 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4835f7f1

Support capabilities for tcpdump (netutils_t)

 policy/modules/admin/netutils.te | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 54e1603..407685f 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -224,6 +224,11 @@ ifdef(`distro_gentoo',`
 	#
 
 	# Fix bug 535988
+	allow netutils_t self:process getcap;
+	allow netutils_t self:capability setpcap;
+
+	kernel_request_load_module(netutils_t)
 	kernel_dontaudit_search_debugfs(netutils_t)
-	dev_dontaudit_read_usbmon_dev(netutils_t)	
+
+	dev_dontaudit_read_usbmon_dev(netutils_t)
 ')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/admin/

[Jason Zaman]

commit:     770ab52d286978f77fc9ebc650cbf0a8f04663ce
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Jul 15 13:44:53 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Jul 15 13:44:53 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=770ab52d

Fix avc_context_to_raw assertion in su domains (bug #554080)

Although earlier investigations on the same matter [1] did not result in
a good fix (it seemed that the permissions where needed for the wrong
reasons, but would most likely require a fix in either the application
that is SELinux-aware or in how the permissions are handled). It does
not look like we will see a proper solution in the near future.

[1] http://oss.tresys.com/pipermail/refpolicy/2014-April/007058.html

So allow the permissions (without write / send/recv_msg) to allow su
domains to go forward.

X-Gentoo-Bug: 554080
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=554080

 policy/modules/admin/su.if | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index aea8a4f..a069cb8 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -119,6 +119,8 @@ template(`su_restricted_domain_template', `
 	')
 
 	ifdef(`distro_gentoo',`
+		# Fix bug 554080 - Allow su to query SELinux subsystem (netlink_selinux_socket)
+		allow $1_su_t self:netlink_selinux_socket { create bind read };
 		selinux_get_fs_mount($1_su_t)
 	')
 ')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/admin/

[Jason Zaman]

commit:     7c30c8834c281dc9a151d1d11f68aac9d86067b1
Author:     Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Fri Dec 23 00:22:39 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan  1 16:26:28 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7c30c883

bootloader: stricter permissions and more tailored file contexts

Update the bootloader module so that it can manage only its
own runtime files and not all boot_t files (which include,
for example, the common locations for kernel images and
initramfs archives) and so that it can execute only its own
etc files (needed by grub2-mkconfig) and not all etc_t files
which is more dangerous.

Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>

 policy/modules/admin/bootloader.fc |  6 ++++++
 policy/modules/admin/bootloader.te | 17 +++++++++++++----
 2 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
index d908d56..5b67c16 100644
--- a/policy/modules/admin/bootloader.fc
+++ b/policy/modules/admin/bootloader.fc
@@ -1,6 +1,12 @@
+/boot/grub.*	-d	gen_context(system_u:object_r:bootloader_run_t,s0)
+/boot/grub.*/.*		gen_context(system_u:object_r:bootloader_run_t,s0)
+
+/boot/grub.*/grub.cfg	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
+/boot/grub.*/grub.conf	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
 
 /etc/lilo\.conf.*	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
 /etc/yaboot\.conf.*	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
+/etc/grub.d(/.*)?	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
 
 /sbin/grub		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 /sbin/lilo.*		--	gen_context(system_u:object_r:bootloader_exec_t,s0)

diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index fcaa6d4..e3f2a72 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -22,6 +22,13 @@ application_domain(bootloader_t, bootloader_exec_t)
 role bootloader_roles types bootloader_t;
 
 #
+# bootloader_run_t are image and other runtime
+# files
+#
+type bootloader_run_t alias run_bootloader_t;
+files_type(bootloader_run_t)
+
+#
 # bootloader_etc_t is the configuration file,
 # grub.conf, lilo.conf, etc.
 #
@@ -45,7 +52,7 @@ allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_raw
 allow bootloader_t self:process { signal_perms execmem };
 allow bootloader_t self:fifo_file rw_fifo_file_perms;
 
-allow bootloader_t bootloader_etc_t:file read_file_perms;
+allow bootloader_t bootloader_etc_t:file exec_file_perms;
 # uncomment the following lines if you use "lilo -p"
 #allow bootloader_t bootloader_etc_t:file manage_file_perms;
 #files_etc_filetrans(bootloader_t,bootloader_etc_t,file)
@@ -59,6 +66,11 @@ files_tmp_filetrans(bootloader_t, bootloader_tmp_t, { dir file lnk_file chr_file
 # for tune2fs (cjp: ?)
 files_root_filetrans(bootloader_t, bootloader_tmp_t, file)
 
+manage_dirs_pattern(bootloader_t, bootloader_run_t, bootloader_run_t)
+manage_files_pattern(bootloader_t, bootloader_run_t, bootloader_run_t)
+manage_lnk_files_pattern(bootloader_t, bootloader_run_t, bootloader_run_t)
+files_boot_filetrans(bootloader_t, bootloader_run_t, { dir file lnk_file })
+
 kernel_getattr_core_if(bootloader_t)
 kernel_read_network_state(bootloader_t)
 kernel_read_system_state(bootloader_t)
@@ -96,10 +108,7 @@ corecmd_exec_all_executables(bootloader_t)
 domain_use_interactive_fds(bootloader_t)
 
 files_create_boot_dirs(bootloader_t)
-files_manage_boot_files(bootloader_t)
-files_manage_boot_symlinks(bootloader_t)
 files_read_etc_files(bootloader_t)
-files_exec_etc_files(bootloader_t)
 files_read_usr_src_files(bootloader_t)
 files_read_usr_files(bootloader_t)
 files_read_var_files(bootloader_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Jason Zaman]

commit:     26534d6388eb4e76eb8dc7c4f35b7d2a80cb45a6
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Feb 11 19:26:48 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 17 08:13:37 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=26534d63

Revert "bootloader: stricter permissions and more tailored file contexts"

This reverts commit b0c13980d224c49207315154905eb7fcb90f289d.

 policy/modules/admin/bootloader.fc |  6 ------
 policy/modules/admin/bootloader.te | 17 ++++-------------
 2 files changed, 4 insertions(+), 19 deletions(-)

diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
index d3925950..cdd6d3dd 100644
--- a/policy/modules/admin/bootloader.fc
+++ b/policy/modules/admin/bootloader.fc
@@ -1,12 +1,6 @@
-/boot/grub.*	-d	gen_context(system_u:object_r:bootloader_run_t,s0)
-/boot/grub.*/.*		gen_context(system_u:object_r:bootloader_run_t,s0)
-
-/boot/grub.*/grub.cfg	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
-/boot/grub.*/grub.conf	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
 
 /etc/lilo\.conf.*	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
 /etc/yaboot\.conf.*	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
-/etc/grub.d(/.*)?	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
 
 /usr/sbin/grub		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 /usr/sbin/grub2?-bios-setup	--	gen_context(system_u:object_r:bootloader_exec_t,s0)

diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index fd9df5c8..bd69d431 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -22,13 +22,6 @@ application_domain(bootloader_t, bootloader_exec_t)
 role bootloader_roles types bootloader_t;
 
 #
-# bootloader_run_t are image and other runtime
-# files
-#
-type bootloader_run_t alias run_bootloader_t;
-files_type(bootloader_run_t)
-
-#
 # bootloader_etc_t is the configuration file,
 # grub.conf, lilo.conf, etc.
 #
@@ -52,7 +45,7 @@ allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_raw
 allow bootloader_t self:process { signal_perms execmem };
 allow bootloader_t self:fifo_file rw_fifo_file_perms;
 
-allow bootloader_t bootloader_etc_t:file exec_file_perms;
+allow bootloader_t bootloader_etc_t:file read_file_perms;
 # uncomment the following lines if you use "lilo -p"
 #allow bootloader_t bootloader_etc_t:file manage_file_perms;
 #files_etc_filetrans(bootloader_t,bootloader_etc_t,file)
@@ -66,11 +59,6 @@ files_tmp_filetrans(bootloader_t, bootloader_tmp_t, { dir file lnk_file chr_file
 # for tune2fs (cjp: ?)
 files_root_filetrans(bootloader_t, bootloader_tmp_t, file)
 
-manage_dirs_pattern(bootloader_t, bootloader_run_t, bootloader_run_t)
-manage_files_pattern(bootloader_t, bootloader_run_t, bootloader_run_t)
-manage_lnk_files_pattern(bootloader_t, bootloader_run_t, bootloader_run_t)
-files_boot_filetrans(bootloader_t, bootloader_run_t, { dir file lnk_file })
-
 kernel_getattr_core_if(bootloader_t)
 kernel_read_network_state(bootloader_t)
 kernel_read_system_state(bootloader_t)
@@ -108,7 +96,10 @@ corecmd_exec_all_executables(bootloader_t)
 domain_use_interactive_fds(bootloader_t)
 
 files_create_boot_dirs(bootloader_t)
+files_manage_boot_files(bootloader_t)
+files_manage_boot_symlinks(bootloader_t)
 files_read_etc_files(bootloader_t)
+files_exec_etc_files(bootloader_t)
 files_read_usr_src_files(bootloader_t)
 files_read_usr_files(bootloader_t)
 files_read_var_files(bootloader_t)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/admin/

[Jason Zaman]

commit:     26534d6388eb4e76eb8dc7c4f35b7d2a80cb45a6
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Feb 11 19:26:48 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 17 08:13:37 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=26534d63

Revert "bootloader: stricter permissions and more tailored file contexts"

This reverts commit b0c13980d224c49207315154905eb7fcb90f289d.

 policy/modules/admin/bootloader.fc |  6 ------
 policy/modules/admin/bootloader.te | 17 ++++-------------
 2 files changed, 4 insertions(+), 19 deletions(-)

diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
index d3925950..cdd6d3dd 100644
--- a/policy/modules/admin/bootloader.fc
+++ b/policy/modules/admin/bootloader.fc
@@ -1,12 +1,6 @@
-/boot/grub.*	-d	gen_context(system_u:object_r:bootloader_run_t,s0)
-/boot/grub.*/.*		gen_context(system_u:object_r:bootloader_run_t,s0)
-
-/boot/grub.*/grub.cfg	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
-/boot/grub.*/grub.conf	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
 
 /etc/lilo\.conf.*	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
 /etc/yaboot\.conf.*	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
-/etc/grub.d(/.*)?	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
 
 /usr/sbin/grub		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 /usr/sbin/grub2?-bios-setup	--	gen_context(system_u:object_r:bootloader_exec_t,s0)

diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index fd9df5c8..bd69d431 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -22,13 +22,6 @@ application_domain(bootloader_t, bootloader_exec_t)
 role bootloader_roles types bootloader_t;
 
 #
-# bootloader_run_t are image and other runtime
-# files
-#
-type bootloader_run_t alias run_bootloader_t;
-files_type(bootloader_run_t)
-
-#
 # bootloader_etc_t is the configuration file,
 # grub.conf, lilo.conf, etc.
 #
@@ -52,7 +45,7 @@ allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_raw
 allow bootloader_t self:process { signal_perms execmem };
 allow bootloader_t self:fifo_file rw_fifo_file_perms;
 
-allow bootloader_t bootloader_etc_t:file exec_file_perms;
+allow bootloader_t bootloader_etc_t:file read_file_perms;
 # uncomment the following lines if you use "lilo -p"
 #allow bootloader_t bootloader_etc_t:file manage_file_perms;
 #files_etc_filetrans(bootloader_t,bootloader_etc_t,file)
@@ -66,11 +59,6 @@ files_tmp_filetrans(bootloader_t, bootloader_tmp_t, { dir file lnk_file chr_file
 # for tune2fs (cjp: ?)
 files_root_filetrans(bootloader_t, bootloader_tmp_t, file)
 
-manage_dirs_pattern(bootloader_t, bootloader_run_t, bootloader_run_t)
-manage_files_pattern(bootloader_t, bootloader_run_t, bootloader_run_t)
-manage_lnk_files_pattern(bootloader_t, bootloader_run_t, bootloader_run_t)
-files_boot_filetrans(bootloader_t, bootloader_run_t, { dir file lnk_file })
-
 kernel_getattr_core_if(bootloader_t)
 kernel_read_network_state(bootloader_t)
 kernel_read_system_state(bootloader_t)
@@ -108,7 +96,10 @@ corecmd_exec_all_executables(bootloader_t)
 domain_use_interactive_fds(bootloader_t)
 
 files_create_boot_dirs(bootloader_t)
+files_manage_boot_files(bootloader_t)
+files_manage_boot_symlinks(bootloader_t)
 files_read_etc_files(bootloader_t)
+files_exec_etc_files(bootloader_t)
 files_read_usr_src_files(bootloader_t)
 files_read_usr_files(bootloader_t)
 files_read_var_files(bootloader_t)