selinux: Change generic Boolean type to boolean_t.

This will prevent other security_t writers from setting Boolean pending values, which could be activated unwittingly by setbool processes. Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-03-19 15:03:47 -04:00 · 2021-03-19 15:03:47 -04:00 · 9d57bf3a2e
parent df99dfe8ea
commit 9d57bf3a2e
2 changed files with 8 additions and 4 deletions
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@ -391,17 +391,17 @@ interface(`selinux_read_policy',`
 #
 interface(`selinux_set_generic_booleans',`
 	gen_require(`
-		type security_t;
+		type boolean_t, security_t;
 		bool secure_mode_setbool;
 	')

 	dev_search_sysfs($1)

 	allow $1 security_t:dir list_dir_perms;
-	allow $1 security_t:file read_file_perms;
+	allow $1 boolean_t:file read_file_perms;

 	if(!secure_mode_setbool) {
-		allow $1 security_t:file write_file_perms;
+		allow $1 { boolean_t security_t }:file write_file_perms;
 		allow $1 security_t:security setbool;
 	}
 ')
@ -443,6 +443,7 @@ interface(`selinux_set_all_booleans',`

 	if (!secure_mode_setbool) {
 		allow $1 security_t:security setbool;
+		allow $1 security_t:file write_file_perms;
 		allow $1 { boolean_type -secure_mode_policyload_t }:file write_file_perms;
 	}

--- a/policy/modules/kernel/selinux.te
+++ b/policy/modules/kernel/selinux.te
@ -26,6 +26,9 @@ attribute can_setenforce;
 attribute can_setsecparam;
 attribute selinux_unconfined_type;

+type boolean_t, boolean_type;
+genfscon selinuxfs /booleans/ -- gen_context(system_u:object_r:boolean_t,s0)
+
 type secure_mode_policyload_t;
 selinux_labeled_boolean(secure_mode_policyload_t, secure_mode_policyload)

@ -34,7 +37,7 @@ selinux_labeled_boolean(secure_mode_policyload_t, secure_mode_policyload)
 # the permissions in the security class.  It is also
 # applied to selinuxfs inodes.
 #
-type security_t, boolean_type;
+type security_t;
 files_mountpoint(security_t)
 fs_type(security_t)
 mls_trusted_object(security_t)