selinux: Add dontaudits when secure mode Booleans are enabled.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>

2 files changed, 27 insertions, 6 deletions

diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index 1a750a62..8225d499 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -400,7 +400,10 @@ interface(`selinux_set_generic_booleans',`
 	allow $1 security_t:dir list_dir_perms;
 	allow $1 boolean_t:file read_file_perms;
 
-	if(!secure_mode_setbool) {
+	if(secure_mode_setbool) {
+		dontaudit $1 { boolean_t security_t }:file write_file_perms;
+		dontaudit $1 security_t:security setbool;
+	} else {
 		allow $1 { boolean_t security_t }:file write_file_perms;
 		allow $1 security_t:security setbool;
 	}
@@ -441,7 +444,11 @@ interface(`selinux_set_all_booleans',`
 	allow $1 boolean_type:file read_file_perms;
 	allow $1 secure_mode_policyload_t:file read_file_perms;
 
-	if (!secure_mode_setbool) {
+	if (secure_mode_setbool) {
+		dontaudit $1 security_t:security setbool;
+		dontaudit $1 security_t:file write_file_perms;
+		dontaudit $1 { boolean_type -secure_mode_policyload_t }:file write_file_perms;
+	} else {
 		allow $1 security_t:security setbool;
 		allow $1 security_t:file write_file_perms;
 		allow $1 { boolean_type -secure_mode_policyload_t }:file write_file_perms;
@@ -449,6 +456,8 @@ interface(`selinux_set_all_booleans',`
 
 	if(!secure_mode_policyload && !secure_mode_setbool) {
 		allow $1 secure_mode_policyload_t:file write_file_perms;
+	} else {
+		dontaudit $1 secure_mode_policyload_t:file write_file_perms;
 	}
 ')
 
diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
index 5bca43d3..ffe86460 100644
--- a/policy/modules/kernel/selinux.te
+++ b/policy/modules/kernel/selinux.te
@@ -57,7 +57,9 @@ allow can_setenforce security_t:file rw_file_perms;
 
 dev_search_sysfs(can_setenforce)
 
-if(!secure_mode_policyload) {
+if(secure_mode_policyload) {
+	dontaudit can_setenforce security_t:security setenforce;
+} else {
 	allow can_setenforce security_t:security setenforce;
 }
 
@@ -73,7 +75,9 @@ allow can_load_policy security_t:file rw_file_perms;
 
 dev_search_sysfs(can_load_policy)
 
-if(!secure_mode_policyload) {
+if(secure_mode_policyload) {
+	dontaudit can_load_policy security_t:security load_policy;
+} else {
 	allow can_load_policy security_t:security load_policy;
 }
 
@@ -104,18 +108,26 @@ allow selinux_unconfined_type boolean_type:file read_file_perms;
 # Access the security API.
 allow selinux_unconfined_type security_t:security { compute_av compute_create compute_member check_context compute_relabel compute_user setsecparam setcheckreqprot read_policy validate_trans };
 
-if (!secure_mode_policyload) {
+if (secure_mode_policyload) {
+	dontaudit selinux_unconfined_type security_t:security { load_policy setenforce };
+} else {
 	allow selinux_unconfined_type security_t:security { load_policy setenforce };
 }
 
-if (!secure_mode_setbool) {
+if (secure_mode_setbool) {
+	dontaudit selinux_unconfined_type security_t:security setbool;
+} else {
 	allow selinux_unconfined_type security_t:security setbool;
 }
 
 if (secure_mode_policyload && !secure_mode_setbool) {
 	allow selinux_unconfined_type { boolean_type -secure_mode_policyload_t }:file write_file_perms;
+} else {
+	dontaudit selinux_unconfined_type { boolean_type -secure_mode_policyload_t }:file write_file_perms;
 }
 
 if (!secure_mode_policyload && !secure_mode_setbool) {
 	allow selinux_unconfined_type boolean_type:file write_file_perms;
+} else {
+	dontaudit selinux_unconfined_type boolean_type:file write_file_perms;
 }