policy_module(selinux, 1.15.0) ######################################## # # Declarations # ## ##

## Boolean to determine whether the system permits loading policy, setting ## enforcing mode, and changing boolean values. Set this to true and you ## have to reboot to set it back. ##

##
gen_bool(secure_mode_policyload,false) attribute boolean_type; attribute can_load_policy; attribute can_setenforce; attribute can_setsecparam; attribute selinux_unconfined_type; type secure_mode_policyload_t; selinux_labeled_boolean(secure_mode_policyload_t, secure_mode_policyload) # # security_t is the target type when checking # the permissions in the security class. It is also # applied to selinuxfs inodes. # type security_t, boolean_type; files_mountpoint(security_t) fs_type(security_t) mls_trusted_object(security_t) sid security gen_context(system_u:object_r:security_t,mls_systemhigh) genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0) genfscon securityfs / gen_context(system_u:object_r:security_t,s0) ######################################## # # Controlled setenforce access # neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce; allow can_setenforce security_t:dir list_dir_perms; allow can_setenforce security_t:file rw_file_perms; dev_search_sysfs(can_setenforce) if(!secure_mode_policyload) { allow can_setenforce security_t:security setenforce; } ######################################## # # Controlled load_policy access # neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy; allow can_load_policy security_t:dir list_dir_perms; allow can_load_policy security_t:file rw_file_perms; dev_search_sysfs(can_load_policy) if(!secure_mode_policyload) { allow can_load_policy security_t:security load_policy; } ######################################## # # Controlled security parameters access # neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam; allow can_setsecparam security_t:dir list_dir_perms; allow can_setsecparam security_t:file rw_file_perms; allow can_setsecparam security_t:security setsecparam; auditallow can_setsecparam security_t:security setsecparam; dev_search_sysfs(can_setsecparam) ######################################## # # Unconfined access to this module # # use SELinuxfs allow selinux_unconfined_type security_t:dir list_dir_perms; allow selinux_unconfined_type security_t:file rw_file_perms; allow selinux_unconfined_type boolean_type:file read_file_perms; allow selinux_unconfined_type { boolean_type -secure_mode_policyload_t }:file write_file_perms; # Access the security API. allow selinux_unconfined_type security_t:security { compute_av compute_create compute_member check_context compute_relabel compute_user setbool setsecparam setcheckreqprot read_policy validate_trans }; if(!secure_mode_policyload) { allow selinux_unconfined_type security_t:security { load_policy setenforce }; allow selinux_unconfined_type secure_mode_policyload_t:file write_file_perms; }