selinux: Change generic Boolean type to boolean_t.

This will prevent other security_t writers from setting Boolean pending
values, which could be activated unwittingly by setbool processes.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
This commit is contained in:
Chris PeBenito 2021-03-19 15:03:47 -04:00
parent df99dfe8ea
commit 9d57bf3a2e
2 changed files with 8 additions and 4 deletions

View File

@ -391,17 +391,17 @@ interface(`selinux_read_policy',`
#
interface(`selinux_set_generic_booleans',`
gen_require(`
type security_t;
type boolean_t, security_t;
bool secure_mode_setbool;
')
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file read_file_perms;
allow $1 boolean_t:file read_file_perms;
if(!secure_mode_setbool) {
allow $1 security_t:file write_file_perms;
allow $1 { boolean_t security_t }:file write_file_perms;
allow $1 security_t:security setbool;
}
')
@ -443,6 +443,7 @@ interface(`selinux_set_all_booleans',`
if (!secure_mode_setbool) {
allow $1 security_t:security setbool;
allow $1 security_t:file write_file_perms;
allow $1 { boolean_type -secure_mode_policyload_t }:file write_file_perms;
}

View File

@ -26,6 +26,9 @@ attribute can_setenforce;
attribute can_setsecparam;
attribute selinux_unconfined_type;
type boolean_t, boolean_type;
genfscon selinuxfs /booleans/ -- gen_context(system_u:object_r:boolean_t,s0)
type secure_mode_policyload_t;
selinux_labeled_boolean(secure_mode_policyload_t, secure_mode_policyload)
@ -34,7 +37,7 @@ selinux_labeled_boolean(secure_mode_policyload_t, secure_mode_policyload)
# the permissions in the security class. It is also
# applied to selinuxfs inodes.
#
type security_t, boolean_type;
type security_t;
files_mountpoint(security_t)
fs_type(security_t)
mls_trusted_object(security_t)