policy_module(selinux, 1.14.0) ######################################## # # Declarations # ## ##

## Boolean to determine whether the system permits loading policy, setting ## enforcing mode, and changing boolean values. Set this to true and you ## have to reboot to set it back. ##

##
gen_bool(secure_mode_policyload,false) attribute boolean_type; attribute can_load_policy; attribute can_setenforce; attribute can_setsecparam; attribute selinux_unconfined_type; type secure_mode_policyload_t; selinux_labeled_boolean(secure_mode_policyload_t, secure_mode_policyload) # # security_t is the target type when checking # the permissions in the security class. It is also # applied to selinuxfs inodes. # type security_t, boolean_type; files_mountpoint(security_t) fs_type(security_t) mls_trusted_object(security_t) sid security gen_context(system_u:object_r:security_t,mls_systemhigh) genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0) genfscon securityfs / gen_context(system_u:object_r:security_t,s0) neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy; neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce; neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam; ######################################## # # Unconfined access to this module # # use SELinuxfs allow selinux_unconfined_type security_t:dir list_dir_perms; allow selinux_unconfined_type security_t:file rw_file_perms; allow selinux_unconfined_type boolean_type:file read_file_perms; allow selinux_unconfined_type { boolean_type -secure_mode_policyload_t }:file write_file_perms; # Access the security API. allow selinux_unconfined_type security_t:security ~{ load_policy setenforce }; if(!secure_mode_policyload) { allow selinux_unconfined_type security_t:security { load_policy setenforce }; allow selinux_unconfined_type secure_mode_policyload_t:file write_file_perms; }