diff options
author | Chris PeBenito <pebenito@ieee.org> | 2021-03-19 15:39:38 -0400 |
---|---|---|
committer | Jason Zaman <perfinion@gentoo.org> | 2021-04-02 11:54:58 -0700 |
commit | 190cf9a6768816df3af34f6e991c5768da97c759 (patch) | |
tree | a18b00a28e058be30e5b5ab8f641db38ec8b10e2 | |
parent | selinux: Set regular file for labeled Booleans genfscons. (diff) | |
download | hardened-refpolicy-190cf9a6768816df3af34f6e991c5768da97c759.tar.gz hardened-refpolicy-190cf9a6768816df3af34f6e991c5768da97c759.tar.bz2 hardened-refpolicy-190cf9a6768816df3af34f6e991c5768da97c759.zip |
selinux: Add dontaudits when secure mode Booleans are enabled.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
-rw-r--r-- | policy/modules/kernel/selinux.if | 13 | ||||
-rw-r--r-- | policy/modules/kernel/selinux.te | 20 |
2 files changed, 27 insertions, 6 deletions
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if index 1a750a62..8225d499 100644 --- a/policy/modules/kernel/selinux.if +++ b/policy/modules/kernel/selinux.if @@ -400,7 +400,10 @@ interface(`selinux_set_generic_booleans',` allow $1 security_t:dir list_dir_perms; allow $1 boolean_t:file read_file_perms; - if(!secure_mode_setbool) { + if(secure_mode_setbool) { + dontaudit $1 { boolean_t security_t }:file write_file_perms; + dontaudit $1 security_t:security setbool; + } else { allow $1 { boolean_t security_t }:file write_file_perms; allow $1 security_t:security setbool; } @@ -441,7 +444,11 @@ interface(`selinux_set_all_booleans',` allow $1 boolean_type:file read_file_perms; allow $1 secure_mode_policyload_t:file read_file_perms; - if (!secure_mode_setbool) { + if (secure_mode_setbool) { + dontaudit $1 security_t:security setbool; + dontaudit $1 security_t:file write_file_perms; + dontaudit $1 { boolean_type -secure_mode_policyload_t }:file write_file_perms; + } else { allow $1 security_t:security setbool; allow $1 security_t:file write_file_perms; allow $1 { boolean_type -secure_mode_policyload_t }:file write_file_perms; @@ -449,6 +456,8 @@ interface(`selinux_set_all_booleans',` if(!secure_mode_policyload && !secure_mode_setbool) { allow $1 secure_mode_policyload_t:file write_file_perms; + } else { + dontaudit $1 secure_mode_policyload_t:file write_file_perms; } ') diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te index 5bca43d3..ffe86460 100644 --- a/policy/modules/kernel/selinux.te +++ b/policy/modules/kernel/selinux.te @@ -57,7 +57,9 @@ allow can_setenforce security_t:file rw_file_perms; dev_search_sysfs(can_setenforce) -if(!secure_mode_policyload) { +if(secure_mode_policyload) { + dontaudit can_setenforce security_t:security setenforce; +} else { allow can_setenforce security_t:security setenforce; } @@ -73,7 +75,9 @@ allow can_load_policy security_t:file rw_file_perms; dev_search_sysfs(can_load_policy) -if(!secure_mode_policyload) { +if(secure_mode_policyload) { + dontaudit can_load_policy security_t:security load_policy; +} else { allow can_load_policy security_t:security load_policy; } @@ -104,18 +108,26 @@ allow selinux_unconfined_type boolean_type:file read_file_perms; # Access the security API. allow selinux_unconfined_type security_t:security { compute_av compute_create compute_member check_context compute_relabel compute_user setsecparam setcheckreqprot read_policy validate_trans }; -if (!secure_mode_policyload) { +if (secure_mode_policyload) { + dontaudit selinux_unconfined_type security_t:security { load_policy setenforce }; +} else { allow selinux_unconfined_type security_t:security { load_policy setenforce }; } -if (!secure_mode_setbool) { +if (secure_mode_setbool) { + dontaudit selinux_unconfined_type security_t:security setbool; +} else { allow selinux_unconfined_type security_t:security setbool; } if (secure_mode_policyload && !secure_mode_setbool) { allow selinux_unconfined_type { boolean_type -secure_mode_policyload_t }:file write_file_perms; +} else { + dontaudit selinux_unconfined_type { boolean_type -secure_mode_policyload_t }:file write_file_perms; } if (!secure_mode_policyload && !secure_mode_setbool) { allow selinux_unconfined_type boolean_type:file write_file_perms; +} else { + dontaudit selinux_unconfined_type boolean_type:file write_file_perms; } |