commit: 190cf9a6768816df3af34f6e991c5768da97c759
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Mar 19 19:39:38 2021 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Apr 2 18:54:58 2021 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=190cf9a6
selinux: Add dontaudits when secure mode Booleans are enabled.
Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/kernel/selinux.if | 13 +++++++++++--
policy/modules/kernel/selinux.te | 20 ++++++++++++++++----
2 files changed, 27 insertions(+), 6 deletions(-)
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index 1a750a62..8225d499 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -400,7 +400,10 @@ interface(`selinux_set_generic_booleans',`
allow $1 security_t:dir list_dir_perms;
allow $1 boolean_t:file read_file_perms;
- if(!secure_mode_setbool) {
+ if(secure_mode_setbool) {
+ dontaudit $1 { boolean_t security_t }:file write_file_perms;
+ dontaudit $1 security_t:security setbool;
+ } else {
allow $1 { boolean_t security_t }:file write_file_perms;
allow $1 security_t:security setbool;
}
@@ -441,7 +444,11 @@ interface(`selinux_set_all_booleans',`
allow $1 boolean_type:file read_file_perms;
allow $1 secure_mode_policyload_t:file read_file_perms;
- if (!secure_mode_setbool) {
+ if (secure_mode_setbool) {
+ dontaudit $1 security_t:security setbool;
+ dontaudit $1 security_t:file write_file_perms;
+ dontaudit $1 { boolean_type -secure_mode_policyload_t }:file
write_file_perms;
+ } else {
allow $1 security_t:security setbool;
allow $1 security_t:file write_file_perms;
allow $1 { boolean_type -secure_mode_policyload_t }:file
write_file_perms;
@@ -449,6 +456,8 @@ interface(`selinux_set_all_booleans',`
if(!secure_mode_policyload && !secure_mode_setbool) {
allow $1 secure_mode_policyload_t:file write_file_perms;
+ } else {
+ dontaudit $1 secure_mode_policyload_t:file write_file_perms;
}
')
diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
index 5bca43d3..ffe86460 100644
--- a/policy/modules/kernel/selinux.te
+++ b/policy/modules/kernel/selinux.te
@@ -57,7 +57,9 @@ allow can_setenforce security_t:file rw_file_perms;
dev_search_sysfs(can_setenforce)
-if(!secure_mode_policyload) {
+if(secure_mode_policyload) {
+ dontaudit can_setenforce security_t:security setenforce;
+} else {
allow can_setenforce security_t:security setenforce;
}
@@ -73,7 +75,9 @@ allow can_load_policy security_t:file rw_file_perms;
dev_search_sysfs(can_load_policy)
-if(!secure_mode_policyload) {
+if(secure_mode_policyload) {
+ dontaudit can_load_policy security_t:security load_policy;
+} else {
allow can_load_policy security_t:security load_policy;
}
@@ -104,18 +108,26 @@ allow selinux_unconfined_type boolean_type:file
read_file_perms;
# Access the security API.
allow selinux_unconfined_type security_t:security { compute_av compute_create
compute_member check_context compute_relabel compute_user setsecparam
setcheckreqprot read_policy validate_trans };
-if (!secure_mode_policyload) {
+if (secure_mode_policyload) {
+ dontaudit selinux_unconfined_type security_t:security { load_policy
setenforce };
+} else {
allow selinux_unconfined_type security_t:security { load_policy
setenforce };
}
-if (!secure_mode_setbool) {
+if (secure_mode_setbool) {
+ dontaudit selinux_unconfined_type security_t:security setbool;
+} else {
allow selinux_unconfined_type security_t:security setbool;
}
if (secure_mode_policyload && !secure_mode_setbool) {
allow selinux_unconfined_type { boolean_type -secure_mode_policyload_t
}:file write_file_perms;
+} else {
+ dontaudit selinux_unconfined_type { boolean_type
-secure_mode_policyload_t }:file write_file_perms;
}
if (!secure_mode_policyload && !secure_mode_setbool) {
allow selinux_unconfined_type boolean_type:file write_file_perms;
+} else {
+ dontaudit selinux_unconfined_type boolean_type:file write_file_perms;
}
