Change secure_mode_policyload to disable only toggling of this Boolean rather than disabling all Boolean toggling permissions.

Changelog

@@ -1,3 +1,5 @@
+- Change secure_mode_policyload to disable only toggling of this Boolean
+  rather than disabling all Boolean toggling permissions.
 - Use role attributes to assist with domain transitions in interactive
   programs.
 - Milter ports patch from Paul Howarth.

policy/modules/kernel/selinux.if

@@ -433,20 +433,17 @@ interface(`selinux_set_boolean',`
 interface(`selinux_set_generic_booleans',`
 	gen_require(`
 		type security_t;
-		bool secure_mode_policyload;
 	')
 
 	allow $1 security_t:dir list_dir_perms;
 	allow $1 security_t:file rw_file_perms;
 
-	if(!secure_mode_policyload) {
+	allow $1 security_t:security setbool;
-		allow $1 security_t:security setbool;
 
-		ifdef(`distro_rhel4',`
+	ifdef(`distro_rhel4',`
-			# needed for systems without audit support
+		# needed for systems without audit support
-			auditallow $1 security_t:security setbool;
+		auditallow $1 security_t:security setbool;
-		')
+	')
-	}
 ')
 
 ########################################
@@ -473,21 +470,24 @@ interface(`selinux_set_generic_booleans',`
 #
 interface(`selinux_set_all_booleans',`
 	gen_require(`
-		type security_t;
+		type security_t, secure_mode_policyload_t;
 		attribute boolean_type;
 		bool secure_mode_policyload;
 	')
 
 	allow $1 security_t:dir list_dir_perms;
-	allow $1 boolean_type:file rw_file_perms;
+	allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms;
+	allow $1 secure_mode_policyload_t:file read_file_perms;
+
+	allow $1 security_t:security setbool;
+
+	ifdef(`distro_rhel4',`
+		# needed for systems without audit support
+		auditallow $1 security_t:security setbool;
+	')
 
 	if(!secure_mode_policyload) {
-		allow $1 security_t:security setbool;
+		allow $1 secure_mode_policyload_t:file write_file_perms;
-
-		ifdef(`distro_rhel4',`
-			# needed for systems without audit support
-			auditallow $1 security_t:security setbool;
-		')
 	}
 ')
 

policy/modules/kernel/selinux.te

@@ -1,4 +1,4 @@
-policy_module(selinux, 1.10.0)
+policy_module(selinux, 1.10.1)
 
 ########################################
 #
@@ -20,6 +20,9 @@ attribute can_setenforce;
 attribute can_setsecparam;
 attribute selinux_unconfined_type;
 
+type secure_mode_policyload_t;
+selinux_labeled_boolean(secure_mode_policyload_t, secure_mode_policyload)
+
 # 
 # security_t is the target type when checking
 # the permissions in the security class.  It is also
@@ -45,16 +48,22 @@ neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security sets
 allow selinux_unconfined_type security_t:dir list_dir_perms;
 allow selinux_unconfined_type security_t:file rw_file_perms;
 allow selinux_unconfined_type boolean_type:file read_file_perms;
+allow selinux_unconfined_type { boolean_type -secure_mode_policyload_t }:file write_file_perms;
 
 # Access the security API.
-allow selinux_unconfined_type security_t:security ~{ load_policy setenforce setbool };
+allow selinux_unconfined_type security_t:security ~{ load_policy setenforce };
+
+ifdef(`distro_rhel4',`
+	# needed for systems without audit support
+	auditallow selinux_unconfined_type security_t:security setbool;
+')
 
 if(!secure_mode_policyload) {
-	allow selinux_unconfined_type boolean_type:file rw_file_perms;
+	allow selinux_unconfined_type security_t:security { load_policy setenforce };
-	allow selinux_unconfined_type security_t:security { load_policy setenforce setbool };
+	allow selinux_unconfined_type secure_mode_policyload_t:file write_file_perms;
 
 	ifdef(`distro_rhel4',`
 		# needed for systems without audit support
-		auditallow selinux_unconfined_type security_t:security { load_policy setenforce setbool };
+		auditallow selinux_unconfined_type security_t:security { load_policy setenforce };
 	')
 }