commit: 0458f4e2ec20f27f0cdc6a29c91e62bb65865075 Author: Chris PeBenito <pebenito <AT> ieee <DOT> org> AuthorDate: Fri Mar 5 21:06:44 2021 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Sun Mar 21 21:38:23 2021 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0458f4e2
selinux: Add a secure_mode_setbool Boolean. Enabling this will disable all permissions for setting SELinux Booleans, even for unconfined domains. This does not affect setenforce. Enable secure_mode_policyload along with secure_mode_setbool to fully lock the SELinux security interface. Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org> Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> policy/modules/kernel/selinux.if | 19 +++++++++++++------ policy/modules/kernel/selinux.te | 30 +++++++++++++++++++++++------- 2 files changed, 36 insertions(+), 13 deletions(-) diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if index 43eebcd0..21d22ded 100644 --- a/policy/modules/kernel/selinux.if +++ b/policy/modules/kernel/selinux.if @@ -392,14 +392,18 @@ interface(`selinux_read_policy',` interface(`selinux_set_generic_booleans',` gen_require(` type security_t; + bool secure_mode_setbool; ') dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; + allow $1 security_t:file read_file_perms; - allow $1 security_t:security setbool; + if(!secure_mode_setbool) { + allow $1 security_t:file write_file_perms; + allow $1 security_t:security setbool; + } ') ######################################## @@ -428,18 +432,21 @@ interface(`selinux_set_all_booleans',` gen_require(` type security_t, secure_mode_policyload_t; attribute boolean_type; - bool secure_mode_policyload; + bool secure_mode_policyload, secure_mode_setbool; ') dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; - allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms; + allow $1 boolean_type:file read_file_perms; allow $1 secure_mode_policyload_t:file read_file_perms; - allow $1 security_t:security setbool; + if (!secure_mode_setbool) { + allow $1 security_t:security setbool; + allow $1 { boolean_type -secure_mode_policyload_t }:file write_file_perms; + } - if(!secure_mode_policyload) { + if(!secure_mode_policyload && !secure_mode_setbool) { allow $1 secure_mode_policyload_t:file write_file_perms; } ') diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te index 3e4f2000..a1b4ae3e 100644 --- a/policy/modules/kernel/selinux.te +++ b/policy/modules/kernel/selinux.te @@ -7,13 +7,19 @@ policy_module(selinux, 1.18.0) ## <desc> ## <p> -## Boolean to determine whether the system permits loading policy, setting -## enforcing mode, and changing boolean values. Set this to true and you -## have to reboot to set it back. +## Boolean to determine whether the system permits loading policy, and setting +## enforcing mode. Set this to true and you have to reboot to set it back. ## </p> ## </desc> gen_bool(secure_mode_policyload,false) +## <desc> +## <p> +## Boolean to determine whether the system permits setting Booelan values. +## </p> +## </desc> +gen_bool(secure_mode_setbool,false) + attribute boolean_type; attribute can_load_policy; attribute can_setenforce; @@ -91,12 +97,22 @@ dev_search_sysfs(can_setsecparam) allow selinux_unconfined_type security_t:dir list_dir_perms; allow selinux_unconfined_type security_t:file rw_file_perms; allow selinux_unconfined_type boolean_type:file read_file_perms; -allow selinux_unconfined_type { boolean_type -secure_mode_policyload_t }:file write_file_perms; # Access the security API. -allow selinux_unconfined_type security_t:security { compute_av compute_create compute_member check_context compute_relabel compute_user setbool setsecparam setcheckreqprot read_policy validate_trans }; +allow selinux_unconfined_type security_t:security { compute_av compute_create compute_member check_context compute_relabel compute_user setsecparam setcheckreqprot read_policy validate_trans }; -if(!secure_mode_policyload) { +if (!secure_mode_policyload) { allow selinux_unconfined_type security_t:security { load_policy setenforce }; - allow selinux_unconfined_type secure_mode_policyload_t:file write_file_perms; +} + +if (!secure_mode_setbool) { + allow selinux_unconfined_type security_t:security setbool; +} + +if (secure_mode_policyload && !secure_mode_setbool) { + allow selinux_unconfined_type { boolean_type -secure_mode_policyload_t }:file write_file_perms; +} + +if (!secure_mode_policyload && !secure_mode_setbool) { + allow selinux_unconfined_type boolean_type:file write_file_perms; }