selinux: Add dontaudits when secure mode Booleans are enabled.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
This commit is contained in:
parent
b36334e937
commit
3d0a6f966f
|
@ -400,7 +400,10 @@ interface(`selinux_set_generic_booleans',`
|
|||
allow $1 security_t:dir list_dir_perms;
|
||||
allow $1 boolean_t:file read_file_perms;
|
||||
|
||||
if(!secure_mode_setbool) {
|
||||
if(secure_mode_setbool) {
|
||||
dontaudit $1 { boolean_t security_t }:file write_file_perms;
|
||||
dontaudit $1 security_t:security setbool;
|
||||
} else {
|
||||
allow $1 { boolean_t security_t }:file write_file_perms;
|
||||
allow $1 security_t:security setbool;
|
||||
}
|
||||
|
@ -441,7 +444,11 @@ interface(`selinux_set_all_booleans',`
|
|||
allow $1 boolean_type:file read_file_perms;
|
||||
allow $1 secure_mode_policyload_t:file read_file_perms;
|
||||
|
||||
if (!secure_mode_setbool) {
|
||||
if (secure_mode_setbool) {
|
||||
dontaudit $1 security_t:security setbool;
|
||||
dontaudit $1 security_t:file write_file_perms;
|
||||
dontaudit $1 { boolean_type -secure_mode_policyload_t }:file write_file_perms;
|
||||
} else {
|
||||
allow $1 security_t:security setbool;
|
||||
allow $1 security_t:file write_file_perms;
|
||||
allow $1 { boolean_type -secure_mode_policyload_t }:file write_file_perms;
|
||||
|
@ -449,6 +456,8 @@ interface(`selinux_set_all_booleans',`
|
|||
|
||||
if(!secure_mode_policyload && !secure_mode_setbool) {
|
||||
allow $1 secure_mode_policyload_t:file write_file_perms;
|
||||
} else {
|
||||
dontaudit $1 secure_mode_policyload_t:file write_file_perms;
|
||||
}
|
||||
')
|
||||
|
||||
|
|
|
@ -57,7 +57,9 @@ allow can_setenforce security_t:file rw_file_perms;
|
|||
|
||||
dev_search_sysfs(can_setenforce)
|
||||
|
||||
if(!secure_mode_policyload) {
|
||||
if(secure_mode_policyload) {
|
||||
dontaudit can_setenforce security_t:security setenforce;
|
||||
} else {
|
||||
allow can_setenforce security_t:security setenforce;
|
||||
}
|
||||
|
||||
|
@ -73,7 +75,9 @@ allow can_load_policy security_t:file rw_file_perms;
|
|||
|
||||
dev_search_sysfs(can_load_policy)
|
||||
|
||||
if(!secure_mode_policyload) {
|
||||
if(secure_mode_policyload) {
|
||||
dontaudit can_load_policy security_t:security load_policy;
|
||||
} else {
|
||||
allow can_load_policy security_t:security load_policy;
|
||||
}
|
||||
|
||||
|
@ -104,18 +108,26 @@ allow selinux_unconfined_type boolean_type:file read_file_perms;
|
|||
# Access the security API.
|
||||
allow selinux_unconfined_type security_t:security { compute_av compute_create compute_member check_context compute_relabel compute_user setsecparam setcheckreqprot read_policy validate_trans };
|
||||
|
||||
if (!secure_mode_policyload) {
|
||||
if (secure_mode_policyload) {
|
||||
dontaudit selinux_unconfined_type security_t:security { load_policy setenforce };
|
||||
} else {
|
||||
allow selinux_unconfined_type security_t:security { load_policy setenforce };
|
||||
}
|
||||
|
||||
if (!secure_mode_setbool) {
|
||||
if (secure_mode_setbool) {
|
||||
dontaudit selinux_unconfined_type security_t:security setbool;
|
||||
} else {
|
||||
allow selinux_unconfined_type security_t:security setbool;
|
||||
}
|
||||
|
||||
if (secure_mode_policyload && !secure_mode_setbool) {
|
||||
allow selinux_unconfined_type { boolean_type -secure_mode_policyload_t }:file write_file_perms;
|
||||
} else {
|
||||
dontaudit selinux_unconfined_type { boolean_type -secure_mode_policyload_t }:file write_file_perms;
|
||||
}
|
||||
|
||||
if (!secure_mode_policyload && !secure_mode_setbool) {
|
||||
allow selinux_unconfined_type boolean_type:file write_file_perms;
|
||||
} else {
|
||||
dontaudit selinux_unconfined_type boolean_type:file write_file_perms;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue