2017-06-08 17:13:58

by Christian Göttsche

[permalink] [raw]
Subject: [refpolicy] [PATCH] selinux: fix context of secure_mode_policyload boolean

From: cgzones <[email protected]>

genfscon in interfaces seems not to work
---
policy/modules/kernel/selinux.fc | 4 ++++
policy/modules/kernel/selinux.if | 2 ++
policy/modules/kernel/selinux.te | 4 ++--
3 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/selinux.fc b/policy/modules/kernel/selinux.fc
index 7be4ddf74..6d902f77b 100644
--- a/policy/modules/kernel/selinux.fc
+++ b/policy/modules/kernel/selinux.fc
@@ -1 +1,5 @@
# This module currently does not have any file contexts.
+
+/sys/fs/selinux(/.*)? gen_context(system_u:object_r:security_t,s0)
+/sys/fs/selinux/null -c gen_context(system_u:object_r:null_device_t,s0)
+/sys/fs/selinux/booleans/secure_mode_policyload -- gen_context(system_u:object_r:secure_mode_policyload_t,s0)
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index 7380d805c..ddfd5a14f 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -32,6 +32,8 @@
## </param>
#
interface(`selinux_labeled_boolean',`
+ refpolicywarn(`$0($*) has been deprecated.')
+
gen_require(`
attribute boolean_type;
')
diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
index c61fc1c12..bf0274411 100644
--- a/policy/modules/kernel/selinux.te
+++ b/policy/modules/kernel/selinux.te
@@ -20,8 +20,8 @@ attribute can_setenforce;
attribute can_setsecparam;
attribute selinux_unconfined_type;

-type secure_mode_policyload_t;
-selinux_labeled_boolean(secure_mode_policyload_t, secure_mode_policyload)
+type secure_mode_policyload_t, boolean_type;
+genfscon selinuxfs /booleans/secure_mode_policyload gen_context(system_u:object_r:secure_mode_policyload_t,s0)

#
# security_t is the target type when checking
--
2.11.0


2017-06-08 22:37:05

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] selinux: fix context of secure_mode_policyload boolean

On 06/08/2017 01:13 PM, Christian G?ttsche via refpolicy wrote:
> From: cgzones <[email protected]>
>
> genfscon in interfaces seems not to work
> ---
> policy/modules/kernel/selinux.fc | 4 ++++
> policy/modules/kernel/selinux.if | 2 ++
> policy/modules/kernel/selinux.te | 4 ++--
> 3 files changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/policy/modules/kernel/selinux.fc b/policy/modules/kernel/selinux.fc
> index 7be4ddf74..6d902f77b 100644
> --- a/policy/modules/kernel/selinux.fc
> +++ b/policy/modules/kernel/selinux.fc
> @@ -1 +1,5 @@
> # This module currently does not have any file contexts.
> +
> +/sys/fs/selinux(/.*)? gen_context(system_u:object_r:security_t,s0)
> +/sys/fs/selinux/null -c gen_context(system_u:object_r:null_device_t,s0)
> +/sys/fs/selinux/booleans/secure_mode_policyload -- gen_context(system_u:object_r:secure_mode_policyload_t,s0)
> diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
> index 7380d805c..ddfd5a14f 100644
> --- a/policy/modules/kernel/selinux.if
> +++ b/policy/modules/kernel/selinux.if
> @@ -32,6 +32,8 @@
> ## </param>
> #
> interface(`selinux_labeled_boolean',`
> + refpolicywarn(`$0($*) has been deprecated.')

This should not be deprecated, as the attribute is used by the
selinux_set_all_booleans() interface. I'm fine removing the genfscon
since it is no longer needed.


> gen_require(`
> attribute boolean_type;
> ')
> diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
> index c61fc1c12..bf0274411 100644
> --- a/policy/modules/kernel/selinux.te
> +++ b/policy/modules/kernel/selinux.te
> @@ -20,8 +20,8 @@ attribute can_setenforce;
> attribute can_setsecparam;
> attribute selinux_unconfined_type;
>
> -type secure_mode_policyload_t;
> -selinux_labeled_boolean(secure_mode_policyload_t, secure_mode_policyload)
> +type secure_mode_policyload_t, boolean_type;
> +genfscon selinuxfs /booleans/secure_mode_policyload gen_context(system_u:object_r:secure_mode_policyload_t,s0)
>
> #
> # security_t is the target type when checking
>


--
Chris PeBenito