Revise selinux module interfaces for perms protected by neverallows.
Use the allow rules on the relevant attributes in selinux.te, rather than only using the attribute to pass the neverallows. Closes #14
This commit is contained in:
Chris PeBenito
parent
a3208c3495
commit
b94f45d760
|
|
@ -322,19 +322,10 @@ interface(`selinux_get_enforce_mode',`
|
||||||
#
|
#
|
||||||
interface(`selinux_set_enforce_mode',`
|
interface(`selinux_set_enforce_mode',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type security_t;
|
|
||||||
attribute can_setenforce;
|
attribute can_setenforce;
|
||||||
bool secure_mode_policyload;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
dev_search_sysfs($1)
|
|
||||||
allow $1 security_t:dir list_dir_perms;
|
|
||||||
allow $1 security_t:file rw_file_perms;
|
|
||||||
typeattribute $1 can_setenforce;
|
typeattribute $1 can_setenforce;
|
||||||
|
|
||||||
if(!secure_mode_policyload) {
|
|
||||||
allow $1 security_t:security setenforce;
|
|
||||||
}
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|
@ -349,19 +340,10 @@ interface(`selinux_set_enforce_mode',`
|
||||||
#
|
#
|
||||||
interface(`selinux_load_policy',`
|
interface(`selinux_load_policy',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type security_t;
|
|
||||||
attribute can_load_policy;
|
attribute can_load_policy;
|
||||||
bool secure_mode_policyload;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
dev_search_sysfs($1)
|
|
||||||
allow $1 security_t:dir list_dir_perms;
|
|
||||||
allow $1 security_t:file rw_file_perms;
|
|
||||||
typeattribute $1 can_load_policy;
|
typeattribute $1 can_load_policy;
|
||||||
|
|
||||||
if(!secure_mode_policyload) {
|
|
||||||
allow $1 security_t:security load_policy;
|
|
||||||
}
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|
@ -518,15 +500,9 @@ interface(`selinux_set_all_booleans',`
|
||||||
#
|
#
|
||||||
interface(`selinux_set_parameters',`
|
interface(`selinux_set_parameters',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type security_t;
|
|
||||||
attribute can_setsecparam;
|
attribute can_setsecparam;
|
||||||
')
|
')
|
||||||
|
|
||||||
dev_search_sysfs($1)
|
|
||||||
allow $1 security_t:dir list_dir_perms;
|
|
||||||
allow $1 security_t:file rw_file_perms;
|
|
||||||
allow $1 security_t:security setsecparam;
|
|
||||||
auditallow $1 security_t:security setsecparam;
|
|
||||||
typeattribute $1 can_setsecparam;
|
typeattribute $1 can_setsecparam;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,4 +1,4 @@
|
||||||
policy_module(selinux, 1.14.0)
|
policy_module(selinux, 1.14.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
|
@ -36,10 +36,52 @@ sid security gen_context(system_u:object_r:security_t,mls_systemhigh)
|
||||||
genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0)
|
genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0)
|
||||||
genfscon securityfs / gen_context(system_u:object_r:security_t,s0)
|
genfscon securityfs / gen_context(system_u:object_r:security_t,s0)
|
||||||
|
|
||||||
neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy;
|
########################################
|
||||||
|
#
|
||||||
|
# Controlled setenforce access
|
||||||
|
#
|
||||||
|
|
||||||
neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce;
|
neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce;
|
||||||
|
|
||||||
|
allow can_setenforce security_t:dir list_dir_perms;
|
||||||
|
allow can_setenforce security_t:file rw_file_perms;
|
||||||
|
|
||||||
|
dev_search_sysfs(can_setenforce)
|
||||||
|
|
||||||
|
if(!secure_mode_policyload) {
|
||||||
|
allow can_setenforce security_t:security setenforce;
|
||||||
|
}
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Controlled load_policy access
|
||||||
|
#
|
||||||
|
|
||||||
|
neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy;
|
||||||
|
|
||||||
|
allow can_load_policy security_t:dir list_dir_perms;
|
||||||
|
allow can_load_policy security_t:file rw_file_perms;
|
||||||
|
|
||||||
|
dev_search_sysfs(can_load_policy)
|
||||||
|
|
||||||
|
if(!secure_mode_policyload) {
|
||||||
|
allow can_load_policy security_t:security load_policy;
|
||||||
|
}
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Controlled security parameters access
|
||||||
|
#
|
||||||
|
|
||||||
neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
|
neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
|
||||||
|
|
||||||
|
allow can_setsecparam security_t:dir list_dir_perms;
|
||||||
|
allow can_setsecparam security_t:file rw_file_perms;
|
||||||
|
allow can_setsecparam security_t:security setsecparam;
|
||||||
|
auditallow can_setsecparam security_t:security setsecparam;
|
||||||
|
|
||||||
|
dev_search_sysfs(can_setsecparam)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Unconfined access to this module
|
# Unconfined access to this module
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue