trunk: add support for labeled booleans.

2009-01-13 13:01:48 +00:00 · 2009-01-13 13:01:48 +00:00 · f0435b1ac4
parent c1262146e0
commit f0435b1ac4
7 changed files with 127 additions and 11 deletions
--- a/1
+++ b/1
@ -1,3 +1,4 @@
+- Add support for labeled Booleans.
 - Remove node definitions and change node usage to generic nodes.
 - Add kernel_service access vectors, from Stephen Smalley.

--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@ -5,6 +5,44 @@
 ##	Contains the policy for the kernel SELinux security interface.
 ## </required>

+########################################
+## <summary>
+##	Make the specified type used for labeling SELinux Booleans.
+##	This interface is only usable in the base module.
+## </summary>
+## <desc>
+##	<p>
+##	Make the specified type used for labeling SELinux Booleans.
+##	</p>
+##	<p>
+##	This makes use of genfscon statements, which are only
+##	available in the base module.  Thus any module which calls this
+##	interface must be included in the base module.
+##	</p>
+## </desc>
+## <param name="type">
+##	<summary>
+##	Type used for labeling a Boolean.
+##	</summary>
+## </param>
+## <param name="boolean">
+##	<summary>
+##	Name of the Boolean.
+##	</summary>
+## </param>
+#
+interface(`selinux_labeled_boolean',`
+	gen_require(`
+		attribute boolean_type;
+	')
+
+	typeattribute $1 boolean_type;
+
+	# because of this statement, any module which
+	# calls this interface must be in the base module:
+	genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0)
+')
+
 ########################################
 ## <summary>
 ##	Get the mountpoint of the selinuxfs filesystem.
@ -266,7 +304,7 @@ interface(`selinux_load_policy',`
 ########################################
 ## <summary>
 ##	Allow caller to set the state of Booleans to
-##	enable or disable conditional portions of the policy.
+##	enable or disable conditional portions of the policy.  (Deprecated)
 ## </summary>
 ## <desc>
 ##	<p>
@ -277,6 +315,38 @@ interface(`selinux_load_policy',`
 ##	Since this is a security event, this action is
 ##	always audited.
 ##	</p>
+##	<p>
+##	This interface has been deprecated.  Please use
+##	selinux_set_generic_booleans() or selinux_set_all_booleans()
+##	instead.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	The process type allowed to set the Boolean.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`selinux_set_boolean',`
+	refpolicywarn(`$0($*) has been deprecated, use selinux_set_generic_booleans() instead.')
+	selinux_set_generic_booleans($1)
+')
+
+########################################
+## <summary>
+##	Allow caller to set the state of generic Booleans to
+##	enable or disable conditional portions of the policy.
+## </summary>
+## <desc>
+##	<p>
+##	Allow caller to set the state of generic Booleans to
+##	enable or disable conditional portions of the policy.
+##	</p>
+##	<p>
+##	Since this is a security event, this action is
+##	always audited.
+##	</p>
 ## </desc>
 ## <param name="domain">
 ##	<summary>
@ -285,7 +355,7 @@ interface(`selinux_load_policy',`
 ## </param>
 ## <rolecap/>
 #
-interface(`selinux_set_boolean',`
+interface(`selinux_set_generic_booleans',`
 	gen_require(`
 		type security_t;
 		bool secure_mode_policyload;
@ -304,6 +374,48 @@ interface(`selinux_set_boolean',`
 	}
 ')

+########################################
+## <summary>
+##	Allow caller to set the state of all Booleans to
+##	enable or disable conditional portions of the policy.
+## </summary>
+## <desc>
+##	<p>
+##	Allow caller to set the state of all Booleans to
+##	enable or disable conditional portions of the policy.
+##	</p>
+##	<p>
+##	Since this is a security event, this action is
+##	always audited.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	The process type allowed to set the Boolean.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`selinux_set_all_booleans',`
+	gen_require(`
+		type security_t;
+		attribute boolean_type;
+		bool secure_mode_policyload;
+	')
+
+	allow $1 security_t:dir list_dir_perms;
+	allow $1 boolean_type:file rw_file_perms;
+
+	if(!secure_mode_policyload) {
+		allow $1 security_t:security setbool;
+
+		ifdef(`distro_rhel4',`
+			# needed for systems without audit support
+			auditallow $1 security_t:security setbool;
+		')
+	}
+')
+
 ########################################
 ## <summary>
 ##	Allow caller to set SELinux access vector cache parameters.
--- a/policy/modules/kernel/selinux.te
+++ b/policy/modules/kernel/selinux.te
@ -1,11 +1,12 @@

-policy_module(selinux, 1.7.0)
+policy_module(selinux, 1.7.1)

 ########################################
 #
 # Declarations
 #

+attribute boolean_type;
 attribute can_load_policy;
 attribute can_setenforce;
 attribute can_setsecparam;
@ -16,7 +17,7 @@ attribute selinux_unconfined_type;
 # the permissions in the security class.  It is also
 # applied to selinuxfs inodes.
 #
-type security_t;
+type security_t, boolean_type;
 fs_type(security_t)
 mls_trusted_object(security_t)
 sid security gen_context(system_u:object_r:security_t,mls_systemhigh)
@ -35,11 +36,13 @@ neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security sets
 # use SELinuxfs
 allow selinux_unconfined_type security_t:dir list_dir_perms;
 allow selinux_unconfined_type security_t:file rw_file_perms;
+allow selinux_unconfined_type boolean_type:file read_file_perms;

 # Access the security API.
 allow selinux_unconfined_type security_t:security ~{ load_policy setenforce setbool };

 if(!secure_mode_policyload) {
+	allow selinux_unconfined_type boolean_type:file rw_file_perms;
 	allow selinux_unconfined_type security_t:security { load_policy setenforce setbool };

 	ifdef(`distro_rhel4',`
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@ -1,5 +1,5 @@

-policy_module(init, 1.13.0)
+policy_module(init, 1.13.1)

 gen_require(`
 	class passwd rootok;
@ -151,7 +151,7 @@ mls_file_write_all_levels(init_t)
 mls_process_write_down(init_t)
 mls_fd_use_all_levels(init_t)

-selinux_set_boolean(init_t)
+selinux_set_all_booleans(init_t)

 term_use_all_terms(init_t)

--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@ -1,5 +1,5 @@

-policy_module(selinuxutil, 1.12.0)
+policy_module(selinuxutil, 1.12.1)

 gen_require(`
 	bool secure_mode;
@ -170,7 +170,7 @@ fs_getattr_xattr_fs(load_policy_t)
 mls_file_read_all_levels(load_policy_t)

 selinux_load_policy(load_policy_t)
-selinux_set_boolean(load_policy_t)
+selinux_set_all_booleans(load_policy_t)

 term_use_console(load_policy_t)
 term_list_ptys(load_policy_t)
@ -453,7 +453,7 @@ selinux_validate_context(semanage_t)
 selinux_get_enforce_mode(semanage_t)
 selinux_getattr_fs(semanage_t)
 # for setsebool:
-selinux_set_boolean(semanage_t)
+selinux_set_all_booleans(semanage_t)

 term_use_all_terms(semanage_t)

--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@ -1231,7 +1231,7 @@ template(`userdom_security_admin_template',`
 	mls_file_downgrade($1)

 	selinux_set_enforce_mode($1)
-	selinux_set_boolean($1)
+	selinux_set_all_booleans($1)
 	selinux_set_parameters($1)

 	auth_relabel_all_files_except_shadow($1)
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@ -1,5 +1,5 @@

-policy_module(userdomain, 4.1.2)
+policy_module(userdomain, 4.1.3)

 ########################################
 #