From: pebenito@ieee.org (Chris PeBenito)
Date: Thu, 8 Jun 2017 18:37:05 -0400
Subject: [refpolicy] [PATCH] selinux: fix context of
 secure_mode_policyload boolean
In-Reply-To: <20170608171358.26280-1-cgzones@googlemail.com>
References: <20170608171358.26280-1-cgzones@googlemail.com>
Message-ID: <885cb62a-afc1-0c32-303b-9b422e716ce1@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 06/08/2017 01:13 PM, Christian G?ttsche via refpolicy wrote:
> From: cgzones <cgzones@googlemail.com>
>
> genfscon in interfaces seems not to work
> ---
>  policy/modules/kernel/selinux.fc | 4 ++++
>  policy/modules/kernel/selinux.if | 2 ++
>  policy/modules/kernel/selinux.te | 4 ++--
>  3 files changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/policy/modules/kernel/selinux.fc b/policy/modules/kernel/selinux.fc
> index 7be4ddf74..6d902f77b 100644
> --- a/policy/modules/kernel/selinux.fc
> +++ b/policy/modules/kernel/selinux.fc
> @@ -1 +1,5 @@
>  # This module currently does not have any file contexts.
> +
> +/sys/fs/selinux(/.*)?						gen_context(system_u:object_r:security_t,s0)
> +/sys/fs/selinux/null					-c	gen_context(system_u:object_r:null_device_t,s0)
> +/sys/fs/selinux/booleans/secure_mode_policyload		--	gen_context(system_u:object_r:secure_mode_policyload_t,s0)
> diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
> index 7380d805c..ddfd5a14f 100644
> --- a/policy/modules/kernel/selinux.if
> +++ b/policy/modules/kernel/selinux.if
> @@ -32,6 +32,8 @@
>  ## </param>
>  #
>  interface(`selinux_labeled_boolean',`
> +	refpolicywarn(`$0($*) has been deprecated.')

This should not be deprecated, as the attribute is used by the 
selinux_set_all_booleans() interface.  I'm fine removing the genfscon 
since it is no longer needed.


>  	gen_require(`
>  		attribute boolean_type;
>  	')
> diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
> index c61fc1c12..bf0274411 100644
> --- a/policy/modules/kernel/selinux.te
> +++ b/policy/modules/kernel/selinux.te
> @@ -20,8 +20,8 @@ attribute can_setenforce;
>  attribute can_setsecparam;
>  attribute selinux_unconfined_type;
>
> -type secure_mode_policyload_t;
> -selinux_labeled_boolean(secure_mode_policyload_t, secure_mode_policyload)
> +type secure_mode_policyload_t, boolean_type;
> +genfscon selinuxfs /booleans/secure_mode_policyload gen_context(system_u:object_r:secure_mode_policyload_t,s0)
>
>  #
>  # security_t is the target type when checking
>


-- 
Chris PeBenito