nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
624abc4f54
selinux-refpolicy/policy/modules/kernel/selinux.te
Chris PeBenito b94f45d760 Revise selinux module interfaces for perms protected by neverallows. 
Use the allow rules on the relevant attributes in selinux.te, rather than
only using the attribute to pass the neverallows.

Closes #14
2015-11-04 15:10:29 -05:00

103 lines
2.9 KiB
Plaintext
Raw Blame History

policy_module(selinux, 1.14.1)
########################################
#
# Declarations
#
## <desc>
## <p>
## Boolean to determine whether the system permits loading policy, setting
## enforcing mode, and changing boolean values. Set this to true and you
## have to reboot to set it back.
## </p>
## </desc>
gen_bool(secure_mode_policyload,false)
attribute boolean_type;
attribute can_load_policy;
attribute can_setenforce;
attribute can_setsecparam;
attribute selinux_unconfined_type;
type secure_mode_policyload_t;
selinux_labeled_boolean(secure_mode_policyload_t, secure_mode_policyload)
#
# security_t is the target type when checking
# the permissions in the security class. It is also
# applied to selinuxfs inodes.
#
type security_t, boolean_type;
files_mountpoint(security_t)
fs_type(security_t)
mls_trusted_object(security_t)
sid security gen_context(system_u:object_r:security_t,mls_systemhigh)
genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0)
genfscon securityfs / gen_context(system_u:object_r:security_t,s0)
########################################
#
# Controlled setenforce access
#
neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce;
allow can_setenforce security_t:dir list_dir_perms;
allow can_setenforce security_t:file rw_file_perms;
dev_search_sysfs(can_setenforce)
if(!secure_mode_policyload) {
allow can_setenforce security_t:security setenforce;
}
########################################
#
# Controlled load_policy access
#
neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy;
allow can_load_policy security_t:dir list_dir_perms;
allow can_load_policy security_t:file rw_file_perms;
dev_search_sysfs(can_load_policy)
if(!secure_mode_policyload) {
allow can_load_policy security_t:security load_policy;
}
########################################
#
# Controlled security parameters access
#
neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
allow can_setsecparam security_t:dir list_dir_perms;
allow can_setsecparam security_t:file rw_file_perms;
allow can_setsecparam security_t:security setsecparam;
auditallow can_setsecparam security_t:security setsecparam;
dev_search_sysfs(can_setsecparam)
########################################
#
# Unconfined access to this module
#
# use SELinuxfs
allow selinux_unconfined_type security_t:dir list_dir_perms;
allow selinux_unconfined_type security_t:file rw_file_perms;
allow selinux_unconfined_type boolean_type:file read_file_perms;
allow selinux_unconfined_type { boolean_type -secure_mode_policyload_t }:file write_file_perms;
# Access the security API.
allow selinux_unconfined_type security_t:security ~{ load_policy setenforce };
if(!secure_mode_policyload) {
allow selinux_unconfined_type security_t:security { load_policy setenforce };
allow selinux_unconfined_type secure_mode_policyload_t:file write_file_perms;
}
Reference in New Issue View Git Blame Copy Permalink