From 3ab2274e3d7fe5dbc9a5126b6a0738f7656e382e Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Fri, 5 Mar 2021 16:06:44 -0500 Subject: [PATCH] selinux: Add a secure_mode_setbool Boolean. Enabling this will disable all permissions for setting SELinux Booleans, even for unconfined domains. This does not affect setenforce. Enable secure_mode_policyload along with secure_mode_setbool to fully lock the SELinux security interface. Signed-off-by: Chris PeBenito --- policy/modules/kernel/selinux.if | 19 +++++++++++++------ policy/modules/kernel/selinux.te | 30 +++++++++++++++++++++++------- 2 files changed, 36 insertions(+), 13 deletions(-) diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if index 43eebcd0f..21d22deda 100644 --- a/policy/modules/kernel/selinux.if +++ b/policy/modules/kernel/selinux.if @@ -392,14 +392,18 @@ interface(`selinux_read_policy',` interface(`selinux_set_generic_booleans',` gen_require(` type security_t; + bool secure_mode_setbool; ') dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; + allow $1 security_t:file read_file_perms; - allow $1 security_t:security setbool; + if(!secure_mode_setbool) { + allow $1 security_t:file write_file_perms; + allow $1 security_t:security setbool; + } ') ######################################## @@ -428,18 +432,21 @@ interface(`selinux_set_all_booleans',` gen_require(` type security_t, secure_mode_policyload_t; attribute boolean_type; - bool secure_mode_policyload; + bool secure_mode_policyload, secure_mode_setbool; ') dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; - allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms; + allow $1 boolean_type:file read_file_perms; allow $1 secure_mode_policyload_t:file read_file_perms; - allow $1 security_t:security setbool; + if (!secure_mode_setbool) { + allow $1 security_t:security setbool; + allow $1 { boolean_type -secure_mode_policyload_t }:file write_file_perms; + } - if(!secure_mode_policyload) { + if(!secure_mode_policyload && !secure_mode_setbool) { allow $1 secure_mode_policyload_t:file write_file_perms; } ') diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te index 3e4f20005..a1b4ae3e4 100644 --- a/policy/modules/kernel/selinux.te +++ b/policy/modules/kernel/selinux.te @@ -7,13 +7,19 @@ policy_module(selinux, 1.18.0) ## ##

-## Boolean to determine whether the system permits loading policy, setting -## enforcing mode, and changing boolean values. Set this to true and you -## have to reboot to set it back. +## Boolean to determine whether the system permits loading policy, and setting +## enforcing mode. Set this to true and you have to reboot to set it back. ##

##
gen_bool(secure_mode_policyload,false) +## +##

+## Boolean to determine whether the system permits setting Booelan values. +##

+##
+gen_bool(secure_mode_setbool,false) + attribute boolean_type; attribute can_load_policy; attribute can_setenforce; @@ -91,12 +97,22 @@ dev_search_sysfs(can_setsecparam) allow selinux_unconfined_type security_t:dir list_dir_perms; allow selinux_unconfined_type security_t:file rw_file_perms; allow selinux_unconfined_type boolean_type:file read_file_perms; -allow selinux_unconfined_type { boolean_type -secure_mode_policyload_t }:file write_file_perms; # Access the security API. -allow selinux_unconfined_type security_t:security { compute_av compute_create compute_member check_context compute_relabel compute_user setbool setsecparam setcheckreqprot read_policy validate_trans }; +allow selinux_unconfined_type security_t:security { compute_av compute_create compute_member check_context compute_relabel compute_user setsecparam setcheckreqprot read_policy validate_trans }; -if(!secure_mode_policyload) { +if (!secure_mode_policyload) { allow selinux_unconfined_type security_t:security { load_policy setenforce }; - allow selinux_unconfined_type secure_mode_policyload_t:file write_file_perms; +} + +if (!secure_mode_setbool) { + allow selinux_unconfined_type security_t:security setbool; +} + +if (secure_mode_policyload && !secure_mode_setbool) { + allow selinux_unconfined_type { boolean_type -secure_mode_policyload_t }:file write_file_perms; +} + +if (!secure_mode_policyload && !secure_mode_setbool) { + allow selinux_unconfined_type boolean_type:file write_file_perms; }