[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

Fri, 02 Apr 2021 20:10:47 -0700 

commit:     e9c469300bd10185540b0698ed074a98d86f4672
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Mar 19 19:03:47 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Apr  2 18:54:58 2021 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e9c46930

selinux: Change generic Boolean type to boolean_t.

This will prevent other security_t writers from setting Boolean pending
values, which could be activated unwittingly by setbool processes.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/kernel/selinux.if | 7 ++++---
 policy/modules/kernel/selinux.te | 5 ++++-
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index 21d22ded..f8fcba98 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -391,17 +391,17 @@ interface(`selinux_read_policy',`
 #
 interface(`selinux_set_generic_booleans',`
        gen_require(`
-               type security_t;
+               type boolean_t, security_t;
                bool secure_mode_setbool;
        ')
 
        dev_search_sysfs($1)
 
        allow $1 security_t:dir list_dir_perms;
-       allow $1 security_t:file read_file_perms;
+       allow $1 boolean_t:file read_file_perms;
 
        if(!secure_mode_setbool) {
-               allow $1 security_t:file write_file_perms;
+               allow $1 { boolean_t security_t }:file write_file_perms;
                allow $1 security_t:security setbool;
        }
 ')
@@ -443,6 +443,7 @@ interface(`selinux_set_all_booleans',`
 
        if (!secure_mode_setbool) {
                allow $1 security_t:security setbool;
+               allow $1 security_t:file write_file_perms;
                allow $1 { boolean_type -secure_mode_policyload_t }:file 
write_file_perms;
        }
 

diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
index 71147210..5bca43d3 100644
--- a/policy/modules/kernel/selinux.te
+++ b/policy/modules/kernel/selinux.te
@@ -26,6 +26,9 @@ attribute can_setenforce;
 attribute can_setsecparam;
 attribute selinux_unconfined_type;
 
+type boolean_t, boolean_type;
+genfscon selinuxfs /booleans/ -- gen_context(system_u:object_r:boolean_t,s0)
+
 type secure_mode_policyload_t;
 selinux_labeled_boolean(secure_mode_policyload_t, secure_mode_policyload)
 
@@ -34,7 +37,7 @@ selinux_labeled_boolean(secure_mode_policyload_t, 
secure_mode_policyload)
 # the permissions in the security class.  It is also
 # applied to selinuxfs inodes.
 #
-type security_t, boolean_type;
+type security_t;
 files_mountpoint(security_t)
 fs_type(security_t)
 mls_trusted_object(security_t)

Reply via email to