Revise selinux module interfaces for perms protected by neverallows.

Use the allow rules on the relevant attributes in selinux.te, rather than
only using the attribute to pass the neverallows.

Closes #14

policy/modules/kernel/selinux.if

@@ -322,19 +322,10 @@ interface(`selinux_get_enforce_mode',`
 #
 interface(`selinux_set_enforce_mode',`
 	gen_require(`
-		type security_t;
 		attribute can_setenforce;
-		bool secure_mode_policyload;
 	')
 
-	dev_search_sysfs($1)
-	allow $1 security_t:dir list_dir_perms;
-	allow $1 security_t:file rw_file_perms;
 	typeattribute $1 can_setenforce;
-
-	if(!secure_mode_policyload) {
-		allow $1 security_t:security setenforce;
-	}
 ')
 
 ########################################
@@ -349,19 +340,10 @@ interface(`selinux_set_enforce_mode',`
 #
 interface(`selinux_load_policy',`
 	gen_require(`
-		type security_t;
 		attribute can_load_policy;
-		bool secure_mode_policyload;
 	')
 
-	dev_search_sysfs($1)
-	allow $1 security_t:dir list_dir_perms;
-	allow $1 security_t:file rw_file_perms;
 	typeattribute $1 can_load_policy;
-
-	if(!secure_mode_policyload) {
-		allow $1 security_t:security load_policy;
-	}
 ')
 
 ########################################
@@ -518,15 +500,9 @@ interface(`selinux_set_all_booleans',`
 #
 interface(`selinux_set_parameters',`
 	gen_require(`
-		type security_t;
 		attribute can_setsecparam;
 	')
 
-	dev_search_sysfs($1)
-	allow $1 security_t:dir list_dir_perms;
-	allow $1 security_t:file rw_file_perms;
-	allow $1 security_t:security setsecparam;
-	auditallow $1 security_t:security setsecparam;
 	typeattribute $1 can_setsecparam;
 ')
 

policy/modules/kernel/selinux.te

@@ -1,4 +1,4 @@
-policy_module(selinux, 1.14.0)
+policy_module(selinux, 1.14.1)
 
 ########################################
 #
@@ -36,10 +36,52 @@ sid security gen_context(system_u:object_r:security_t,mls_systemhigh)
 genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0)
 genfscon securityfs / gen_context(system_u:object_r:security_t,s0)
 
-neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy;
+########################################
+#
+# Controlled setenforce access
+#
+
 neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce;
+
+allow can_setenforce security_t:dir list_dir_perms;
+allow can_setenforce security_t:file rw_file_perms;
+
+dev_search_sysfs(can_setenforce)
+
+if(!secure_mode_policyload) {
+	allow can_setenforce security_t:security setenforce;
+}
+
+########################################
+#
+# Controlled load_policy access
+#
+
+neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy;
+
+allow can_load_policy security_t:dir list_dir_perms;
+allow can_load_policy security_t:file rw_file_perms;
+
+dev_search_sysfs(can_load_policy)
+
+if(!secure_mode_policyload) {
+	allow can_load_policy security_t:security load_policy;
+}
+
+########################################
+#
+# Controlled security parameters access
+#
+
 neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
 
+allow can_setsecparam security_t:dir list_dir_perms;
+allow can_setsecparam security_t:file rw_file_perms;
+allow can_setsecparam security_t:security setsecparam;
+auditallow can_setsecparam security_t:security setsecparam;
+
+dev_search_sysfs(can_setsecparam)
+
 ########################################
 #
 # Unconfined access to this module