[selinux-policy: 2075/3172] trunk: add support for labeled booleans.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:04:08 UTC 2010
commit f0435b1ac485336656080a8c0d4d1201ad1ba4f6
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue Jan 13 13:01:48 2009 +0000
trunk: add support for labeled booleans.
Changelog | 1 +
policy/modules/kernel/selinux.if | 114 +++++++++++++++++++++++++++++++++-
policy/modules/kernel/selinux.te | 7 ++-
policy/modules/system/init.te | 4 +-
policy/modules/system/selinuxutil.te | 6 +-
policy/modules/system/userdomain.if | 2 +-
policy/modules/system/userdomain.te | 2 +-
7 files changed, 126 insertions(+), 10 deletions(-)
---
diff --git a/Changelog b/Changelog
index 75e2c07..b453974 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Add support for labeled Booleans.
- Remove node definitions and change node usage to generic nodes.
- Add kernel_service access vectors, from Stephen Smalley.
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index 946f8fc..677f82a 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -7,6 +7,44 @@
########################################
## <summary>
+## Make the specified type used for labeling SELinux Booleans.
+## This interface is only usable in the base module.
+## </summary>
+## <desc>
+## <p>
+## Make the specified type used for labeling SELinux Booleans.
+## </p>
+## <p>
+## This makes use of genfscon statements, which are only
+## available in the base module. Thus any module which calls this
+## interface must be included in the base module.
+## </p>
+## </desc>
+## <param name="type">
+## <summary>
+## Type used for labeling a Boolean.
+## </summary>
+## </param>
+## <param name="boolean">
+## <summary>
+## Name of the Boolean.
+## </summary>
+## </param>
+#
+interface(`selinux_labeled_boolean',`
+ gen_require(`
+ attribute boolean_type;
+ ')
+
+ typeattribute $1 boolean_type;
+
+ # because of this statement, any module which
+ # calls this interface must be in the base module:
+ genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0)
+')
+
+########################################
+## <summary>
## Get the mountpoint of the selinuxfs filesystem.
## </summary>
## <param name="domain">
@@ -266,7 +304,7 @@ interface(`selinux_load_policy',`
########################################
## <summary>
## Allow caller to set the state of Booleans to
-## enable or disable conditional portions of the policy.
+## enable or disable conditional portions of the policy. (Deprecated)
## </summary>
## <desc>
## <p>
@@ -277,6 +315,11 @@ interface(`selinux_load_policy',`
## Since this is a security event, this action is
## always audited.
## </p>
+## <p>
+## This interface has been deprecated. Please use
+## selinux_set_generic_booleans() or selinux_set_all_booleans()
+## instead.
+## </p>
## </desc>
## <param name="domain">
## <summary>
@@ -286,6 +329,33 @@ interface(`selinux_load_policy',`
## <rolecap/>
#
interface(`selinux_set_boolean',`
+ refpolicywarn(`$0($*) has been deprecated, use selinux_set_generic_booleans() instead.')
+ selinux_set_generic_booleans($1)
+')
+
+########################################
+## <summary>
+## Allow caller to set the state of generic Booleans to
+## enable or disable conditional portions of the policy.
+## </summary>
+## <desc>
+## <p>
+## Allow caller to set the state of generic Booleans to
+## enable or disable conditional portions of the policy.
+## </p>
+## <p>
+## Since this is a security event, this action is
+## always audited.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## The process type allowed to set the Boolean.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`selinux_set_generic_booleans',`
gen_require(`
type security_t;
bool secure_mode_policyload;
@@ -306,6 +376,48 @@ interface(`selinux_set_boolean',`
########################################
## <summary>
+## Allow caller to set the state of all Booleans to
+## enable or disable conditional portions of the policy.
+## </summary>
+## <desc>
+## <p>
+## Allow caller to set the state of all Booleans to
+## enable or disable conditional portions of the policy.
+## </p>
+## <p>
+## Since this is a security event, this action is
+## always audited.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## The process type allowed to set the Boolean.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`selinux_set_all_booleans',`
+ gen_require(`
+ type security_t;
+ attribute boolean_type;
+ bool secure_mode_policyload;
+ ')
+
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 boolean_type:file rw_file_perms;
+
+ if(!secure_mode_policyload) {
+ allow $1 security_t:security setbool;
+
+ ifdef(`distro_rhel4',`
+ # needed for systems without audit support
+ auditallow $1 security_t:security setbool;
+ ')
+ }
+')
+
+########################################
+## <summary>
## Allow caller to set SELinux access vector cache parameters.
## </summary>
## <desc>
diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
index 32d4c26..c409d3d 100644
--- a/policy/modules/kernel/selinux.te
+++ b/policy/modules/kernel/selinux.te
@@ -1,11 +1,12 @@
-policy_module(selinux, 1.7.0)
+policy_module(selinux, 1.7.1)
########################################
#
# Declarations
#
+attribute boolean_type;
attribute can_load_policy;
attribute can_setenforce;
attribute can_setsecparam;
@@ -16,7 +17,7 @@ attribute selinux_unconfined_type;
# the permissions in the security class. It is also
# applied to selinuxfs inodes.
#
-type security_t;
+type security_t, boolean_type;
fs_type(security_t)
mls_trusted_object(security_t)
sid security gen_context(system_u:object_r:security_t,mls_systemhigh)
@@ -35,11 +36,13 @@ neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security sets
# use SELinuxfs
allow selinux_unconfined_type security_t:dir list_dir_perms;
allow selinux_unconfined_type security_t:file rw_file_perms;
+allow selinux_unconfined_type boolean_type:file read_file_perms;
# Access the security API.
allow selinux_unconfined_type security_t:security ~{ load_policy setenforce setbool };
if(!secure_mode_policyload) {
+ allow selinux_unconfined_type boolean_type:file rw_file_perms;
allow selinux_unconfined_type security_t:security { load_policy setenforce setbool };
ifdef(`distro_rhel4',`
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index c6d9723..f954c0c 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,5 +1,5 @@
-policy_module(init, 1.13.0)
+policy_module(init, 1.13.1)
gen_require(`
class passwd rootok;
@@ -151,7 +151,7 @@ mls_file_write_all_levels(init_t)
mls_process_write_down(init_t)
mls_fd_use_all_levels(init_t)
-selinux_set_boolean(init_t)
+selinux_set_all_booleans(init_t)
term_use_all_terms(init_t)
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 5741c9a..7815d4b 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -1,5 +1,5 @@
-policy_module(selinuxutil, 1.12.0)
+policy_module(selinuxutil, 1.12.1)
gen_require(`
bool secure_mode;
@@ -170,7 +170,7 @@ fs_getattr_xattr_fs(load_policy_t)
mls_file_read_all_levels(load_policy_t)
selinux_load_policy(load_policy_t)
-selinux_set_boolean(load_policy_t)
+selinux_set_all_booleans(load_policy_t)
term_use_console(load_policy_t)
term_list_ptys(load_policy_t)
@@ -453,7 +453,7 @@ selinux_validate_context(semanage_t)
selinux_get_enforce_mode(semanage_t)
selinux_getattr_fs(semanage_t)
# for setsebool:
-selinux_set_boolean(semanage_t)
+selinux_set_all_booleans(semanage_t)
term_use_all_terms(semanage_t)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 740a841..877ecb7 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1231,7 +1231,7 @@ template(`userdom_security_admin_template',`
mls_file_downgrade($1)
selinux_set_enforce_mode($1)
- selinux_set_boolean($1)
+ selinux_set_all_booleans($1)
selinux_set_parameters($1)
auth_relabel_all_files_except_shadow($1)
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 54174b0..504f26a 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
-policy_module(userdomain, 4.1.2)
+policy_module(userdomain, 4.1.3)
########################################
#
More information about the scm-commits
mailing list