From 9d57bf3a2ed778d6ea02d75d5aaca3ad68db0893 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <pebenito@ieee.org>
Date: Fri, 19 Mar 2021 15:03:47 -0400
Subject: [PATCH] selinux: Change generic Boolean type to boolean_t.

This will prevent other security_t writers from setting Boolean pending
values, which could be activated unwittingly by setbool processes.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
---
 policy/modules/kernel/selinux.if | 7 ++++---
 policy/modules/kernel/selinux.te | 5 ++++-
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index 21d22deda..f8fcba984 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -391,17 +391,17 @@ interface(`selinux_read_policy',`
 #
 interface(`selinux_set_generic_booleans',`
 	gen_require(`
-		type security_t;
+		type boolean_t, security_t;
 		bool secure_mode_setbool;
 	')
 
 	dev_search_sysfs($1)
 
 	allow $1 security_t:dir list_dir_perms;
-	allow $1 security_t:file read_file_perms;
+	allow $1 boolean_t:file read_file_perms;
 
 	if(!secure_mode_setbool) {
-		allow $1 security_t:file write_file_perms;
+		allow $1 { boolean_t security_t }:file write_file_perms;
 		allow $1 security_t:security setbool;
 	}
 ')
@@ -443,6 +443,7 @@ interface(`selinux_set_all_booleans',`
 
 	if (!secure_mode_setbool) {
 		allow $1 security_t:security setbool;
+		allow $1 security_t:file write_file_perms;
 		allow $1 { boolean_type -secure_mode_policyload_t }:file write_file_perms;
 	}
 
diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
index 711472104..5bca43d30 100644
--- a/policy/modules/kernel/selinux.te
+++ b/policy/modules/kernel/selinux.te
@@ -26,6 +26,9 @@ attribute can_setenforce;
 attribute can_setsecparam;
 attribute selinux_unconfined_type;
 
+type boolean_t, boolean_type;
+genfscon selinuxfs /booleans/ -- gen_context(system_u:object_r:boolean_t,s0)
+
 type secure_mode_policyload_t;
 selinux_labeled_boolean(secure_mode_policyload_t, secure_mode_policyload)
 
@@ -34,7 +37,7 @@ selinux_labeled_boolean(secure_mode_policyload_t, secure_mode_policyload)
 # the permissions in the security class.  It is also
 # applied to selinuxfs inodes.
 #
-type security_t, boolean_type;
+type security_t;
 files_mountpoint(security_t)
 fs_type(security_t)
 mls_trusted_object(security_t)