From 3d0a6f966f6585ddb540f0abc5a8626850622000 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <pebenito@ieee.org>
Date: Fri, 19 Mar 2021 15:39:38 -0400
Subject: [PATCH] selinux: Add dontaudits when secure mode Booleans are
 enabled.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
---
 policy/modules/kernel/selinux.if | 13 +++++++++++--
 policy/modules/kernel/selinux.te | 20 ++++++++++++++++----
 2 files changed, 27 insertions(+), 6 deletions(-)

diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index 1a750a62b..8225d499f 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -400,7 +400,10 @@ interface(`selinux_set_generic_booleans',`
 	allow $1 security_t:dir list_dir_perms;
 	allow $1 boolean_t:file read_file_perms;
 
-	if(!secure_mode_setbool) {
+	if(secure_mode_setbool) {
+		dontaudit $1 { boolean_t security_t }:file write_file_perms;
+		dontaudit $1 security_t:security setbool;
+	} else {
 		allow $1 { boolean_t security_t }:file write_file_perms;
 		allow $1 security_t:security setbool;
 	}
@@ -441,7 +444,11 @@ interface(`selinux_set_all_booleans',`
 	allow $1 boolean_type:file read_file_perms;
 	allow $1 secure_mode_policyload_t:file read_file_perms;
 
-	if (!secure_mode_setbool) {
+	if (secure_mode_setbool) {
+		dontaudit $1 security_t:security setbool;
+		dontaudit $1 security_t:file write_file_perms;
+		dontaudit $1 { boolean_type -secure_mode_policyload_t }:file write_file_perms;
+	} else {
 		allow $1 security_t:security setbool;
 		allow $1 security_t:file write_file_perms;
 		allow $1 { boolean_type -secure_mode_policyload_t }:file write_file_perms;
@@ -449,6 +456,8 @@ interface(`selinux_set_all_booleans',`
 
 	if(!secure_mode_policyload && !secure_mode_setbool) {
 		allow $1 secure_mode_policyload_t:file write_file_perms;
+	} else {
+		dontaudit $1 secure_mode_policyload_t:file write_file_perms;
 	}
 ')
 
diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
index 5bca43d30..ffe86460e 100644
--- a/policy/modules/kernel/selinux.te
+++ b/policy/modules/kernel/selinux.te
@@ -57,7 +57,9 @@ allow can_setenforce security_t:file rw_file_perms;
 
 dev_search_sysfs(can_setenforce)
 
-if(!secure_mode_policyload) {
+if(secure_mode_policyload) {
+	dontaudit can_setenforce security_t:security setenforce;
+} else {
 	allow can_setenforce security_t:security setenforce;
 }
 
@@ -73,7 +75,9 @@ allow can_load_policy security_t:file rw_file_perms;
 
 dev_search_sysfs(can_load_policy)
 
-if(!secure_mode_policyload) {
+if(secure_mode_policyload) {
+	dontaudit can_load_policy security_t:security load_policy;
+} else {
 	allow can_load_policy security_t:security load_policy;
 }
 
@@ -104,18 +108,26 @@ allow selinux_unconfined_type boolean_type:file read_file_perms;
 # Access the security API.
 allow selinux_unconfined_type security_t:security { compute_av compute_create compute_member check_context compute_relabel compute_user setsecparam setcheckreqprot read_policy validate_trans };
 
-if (!secure_mode_policyload) {
+if (secure_mode_policyload) {
+	dontaudit selinux_unconfined_type security_t:security { load_policy setenforce };
+} else {
 	allow selinux_unconfined_type security_t:security { load_policy setenforce };
 }
 
-if (!secure_mode_setbool) {
+if (secure_mode_setbool) {
+	dontaudit selinux_unconfined_type security_t:security setbool;
+} else {
 	allow selinux_unconfined_type security_t:security setbool;
 }
 
 if (secure_mode_policyload && !secure_mode_setbool) {
 	allow selinux_unconfined_type { boolean_type -secure_mode_policyload_t }:file write_file_perms;
+} else {
+	dontaudit selinux_unconfined_type { boolean_type -secure_mode_policyload_t }:file write_file_perms;
 }
 
 if (!secure_mode_policyload && !secure_mode_setbool) {
 	allow selinux_unconfined_type boolean_type:file write_file_perms;
+} else {
+	dontaudit selinux_unconfined_type boolean_type:file write_file_perms;
 }