bootloader: allow systemd-boot to manage EFI binaries

systemd-boot's bootctl utility is used to install and update its EFI
binaries in the EFI partition. If it is mounted with boot_t, bootctl
needs to be able to manage boot_t files.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>

2 files changed, 23 insertions, 0 deletions

diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index 294ce7e0c..81748a5f3 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -225,6 +225,10 @@ ifdef(`init_systemd',`
 	fs_getattr_cgroup(bootloader_t)
 	init_read_state(bootloader_t)
 	init_rw_inherited_stream_socket(bootloader_t)
+
+	# for systemd-boot-update to manage EFI binaries
+	domain_obj_id_change_exemption(bootloader_t)
+	files_mmap_read_boot_files(bootloader_t)
 ')
 
 optional_policy(`
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index e0337d044..b9c451321 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -2592,6 +2592,25 @@ interface(`files_read_boot_files',`
 
 ########################################
 ## <summary>
+##	Read and memory map files in the /boot directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_mmap_read_boot_files',`
+	gen_require(`
+		type boot_t;
+	')
+
+	mmap_read_files_pattern($1, boot_t, boot_t)
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete files
 ##	in the /boot directory.
 ## </summary>