selinux: Add dontaudits when secure mode Booleans are enabled.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-03-19 15:39:38 -04:00 · 2021-03-19 15:39:38 -04:00 · 3d0a6f966f
parent b36334e937
commit 3d0a6f966f
2 changed files with 27 additions and 6 deletions
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@ -400,7 +400,10 @@ interface(`selinux_set_generic_booleans',`
 	allow $1 security_t:dir list_dir_perms;
 	allow $1 boolean_t:file read_file_perms;
-	if(!secure_mode_setbool) {
+	if(secure_mode_setbool) {
 		dontaudit $1 { boolean_t security_t }:file write_file_perms;
 		dontaudit $1 security_t:security setbool;
 	} else {
 		allow $1 { boolean_t security_t }:file write_file_perms;
 		allow $1 security_t:security setbool;
 	}
@ -441,7 +444,11 @@ interface(`selinux_set_all_booleans',`
 	allow $1 boolean_type:file read_file_perms;
 	allow $1 secure_mode_policyload_t:file read_file_perms;
-	if (!secure_mode_setbool) {
+	if (secure_mode_setbool) {
 		dontaudit $1 security_t:security setbool;
 		dontaudit $1 security_t:file write_file_perms;
 		dontaudit $1 { boolean_type -secure_mode_policyload_t }:file write_file_perms;
 	} else {
 		allow $1 security_t:security setbool;
 		allow $1 security_t:file write_file_perms;
 		allow $1 { boolean_type -secure_mode_policyload_t }:file write_file_perms;
@ -449,6 +456,8 @@ interface(`selinux_set_all_booleans',`
 	if(!secure_mode_policyload && !secure_mode_setbool) {
 		allow $1 secure_mode_policyload_t:file write_file_perms;
 	} else {
 		dontaudit $1 secure_mode_policyload_t:file write_file_perms;
 	}
 ')
--- a/policy/modules/kernel/selinux.te
+++ b/policy/modules/kernel/selinux.te
@ -57,7 +57,9 @@ allow can_setenforce security_t:file rw_file_perms;
 dev_search_sysfs(can_setenforce)
-if(!secure_mode_policyload) {
+if(secure_mode_policyload) {
 	dontaudit can_setenforce security_t:security setenforce;
 } else {
 	allow can_setenforce security_t:security setenforce;
 }
@ -73,7 +75,9 @@ allow can_load_policy security_t:file rw_file_perms;
 dev_search_sysfs(can_load_policy)
-if(!secure_mode_policyload) {
+if(secure_mode_policyload) {
 	dontaudit can_load_policy security_t:security load_policy;
 } else {
 	allow can_load_policy security_t:security load_policy;
 }
@ -104,18 +108,26 @@ allow selinux_unconfined_type boolean_type:file read_file_perms;
 # Access the security API.
 allow selinux_unconfined_type security_t:security { compute_av compute_create compute_member check_context compute_relabel compute_user setsecparam setcheckreqprot read_policy validate_trans };
-if (!secure_mode_policyload) {
+if (secure_mode_policyload) {
 	dontaudit selinux_unconfined_type security_t:security { load_policy setenforce };
 } else {
 	allow selinux_unconfined_type security_t:security { load_policy setenforce };
 }
-if (!secure_mode_setbool) {
+if (secure_mode_setbool) {
 	dontaudit selinux_unconfined_type security_t:security setbool;
 } else {
 	allow selinux_unconfined_type security_t:security setbool;
 }
 if (secure_mode_policyload && !secure_mode_setbool) {
 	allow selinux_unconfined_type { boolean_type -secure_mode_policyload_t }:file write_file_perms;
 } else {
 	dontaudit selinux_unconfined_type { boolean_type -secure_mode_policyload_t }:file write_file_perms;
 }
 if (!secure_mode_policyload && !secure_mode_setbool) {
 	allow selinux_unconfined_type boolean_type:file write_file_perms;
 } else {
 	dontaudit selinux_unconfined_type boolean_type:file write_file_perms;
 }