diff options
author | Chris PeBenito <pebenito@ieee.org> | 2021-03-05 16:06:44 -0500 |
---|---|---|
committer | Jason Zaman <perfinion@gentoo.org> | 2021-03-21 14:38:23 -0700 |
commit | 0458f4e2ec20f27f0cdc6a29c91e62bb65865075 (patch) | |
tree | 9adf36f11bb894eb3b15fdc3cc54954d04f32678 /policy/modules/kernel/selinux.te | |
parent | rpc: Module version bump. (diff) | |
download | hardened-refpolicy-0458f4e2ec20f27f0cdc6a29c91e62bb65865075.tar.gz hardened-refpolicy-0458f4e2ec20f27f0cdc6a29c91e62bb65865075.tar.bz2 hardened-refpolicy-0458f4e2ec20f27f0cdc6a29c91e62bb65865075.zip |
selinux: Add a secure_mode_setbool Boolean.
Enabling this will disable all permissions for setting SELinux Booleans,
even for unconfined domains.
This does not affect setenforce. Enable secure_mode_policyload along with
secure_mode_setbool to fully lock the SELinux security interface.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
Diffstat (limited to 'policy/modules/kernel/selinux.te')
-rw-r--r-- | policy/modules/kernel/selinux.te | 30 |
1 files changed, 23 insertions, 7 deletions
diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te index 3e4f20005..a1b4ae3e4 100644 --- a/policy/modules/kernel/selinux.te +++ b/policy/modules/kernel/selinux.te @@ -7,13 +7,19 @@ policy_module(selinux, 1.18.0) ## <desc> ## <p> -## Boolean to determine whether the system permits loading policy, setting -## enforcing mode, and changing boolean values. Set this to true and you -## have to reboot to set it back. +## Boolean to determine whether the system permits loading policy, and setting +## enforcing mode. Set this to true and you have to reboot to set it back. ## </p> ## </desc> gen_bool(secure_mode_policyload,false) +## <desc> +## <p> +## Boolean to determine whether the system permits setting Booelan values. +## </p> +## </desc> +gen_bool(secure_mode_setbool,false) + attribute boolean_type; attribute can_load_policy; attribute can_setenforce; @@ -91,12 +97,22 @@ dev_search_sysfs(can_setsecparam) allow selinux_unconfined_type security_t:dir list_dir_perms; allow selinux_unconfined_type security_t:file rw_file_perms; allow selinux_unconfined_type boolean_type:file read_file_perms; -allow selinux_unconfined_type { boolean_type -secure_mode_policyload_t }:file write_file_perms; # Access the security API. -allow selinux_unconfined_type security_t:security { compute_av compute_create compute_member check_context compute_relabel compute_user setbool setsecparam setcheckreqprot read_policy validate_trans }; +allow selinux_unconfined_type security_t:security { compute_av compute_create compute_member check_context compute_relabel compute_user setsecparam setcheckreqprot read_policy validate_trans }; -if(!secure_mode_policyload) { +if (!secure_mode_policyload) { allow selinux_unconfined_type security_t:security { load_policy setenforce }; - allow selinux_unconfined_type secure_mode_policyload_t:file write_file_perms; +} + +if (!secure_mode_setbool) { + allow selinux_unconfined_type security_t:security setbool; +} + +if (secure_mode_policyload && !secure_mode_setbool) { + allow selinux_unconfined_type { boolean_type -secure_mode_policyload_t }:file write_file_perms; +} + +if (!secure_mode_policyload && !secure_mode_setbool) { + allow selinux_unconfined_type boolean_type:file write_file_perms; } |