From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1263212-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 090B11382C5
	for <garchives@archives.gentoo.org>; Sun, 21 Mar 2021 22:11:06 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 7F6C7E08E8;
	Sun, 21 Mar 2021 22:11:04 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 4D7C9E08E0
	for <gentoo-commits@lists.gentoo.org>; Sun, 21 Mar 2021 22:11:04 +0000 (UTC)
Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id B06BA34068A
	for <gentoo-commits@lists.gentoo.org>; Sun, 21 Mar 2021 22:11:02 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id D58F263B
	for <gentoo-commits@lists.gentoo.org>; Sun, 21 Mar 2021 22:10:58 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1616362703.0458f4e2ec20f27f0cdc6a29c91e62bb65865075.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/kernel/selinux.if policy/modules/kernel/selinux.te
X-VCS-Directories: policy/modules/kernel/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: 0458f4e2ec20f27f0cdc6a29c91e62bb65865075
X-VCS-Branch: master
Date: Sun, 21 Mar 2021 22:10:58 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Archives-Salt: b2b9dec6-3a24-4002-9317-7a60ba75c047
X-Archives-Hash: 7d5f2f276d5e2836af76a8124c686b02

commit:     0458f4e2ec20f27f0cdc6a29c91e62bb65865075
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Mar  5 21:06:44 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Mar 21 21:38:23 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0458f4e2

selinux: Add a secure_mode_setbool Boolean.

Enabling this will disable all permissions for setting SELinux Booleans,
even for unconfined domains.

This does not affect setenforce.  Enable secure_mode_policyload along with
secure_mode_setbool to fully lock the SELinux security interface.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/kernel/selinux.if | 19 +++++++++++++------
 policy/modules/kernel/selinux.te | 30 +++++++++++++++++++++++-------
 2 files changed, 36 insertions(+), 13 deletions(-)

diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index 43eebcd0..21d22ded 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -392,14 +392,18 @@ interface(`selinux_read_policy',`
 interface(`selinux_set_generic_booleans',`
 	gen_require(`
 		type security_t;
+		bool secure_mode_setbool;
 	')
 
 	dev_search_sysfs($1)
 
 	allow $1 security_t:dir list_dir_perms;
-	allow $1 security_t:file rw_file_perms;
+	allow $1 security_t:file read_file_perms;
 
-	allow $1 security_t:security setbool;
+	if(!secure_mode_setbool) {
+		allow $1 security_t:file write_file_perms;
+		allow $1 security_t:security setbool;
+	}
 ')
 
 ########################################
@@ -428,18 +432,21 @@ interface(`selinux_set_all_booleans',`
 	gen_require(`
 		type security_t, secure_mode_policyload_t;
 		attribute boolean_type;
-		bool secure_mode_policyload;
+		bool secure_mode_policyload, secure_mode_setbool;
 	')
 
 	dev_search_sysfs($1)
 
 	allow $1 security_t:dir list_dir_perms;
-	allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms;
+	allow $1 boolean_type:file read_file_perms;
 	allow $1 secure_mode_policyload_t:file read_file_perms;
 
-	allow $1 security_t:security setbool;
+	if (!secure_mode_setbool) {
+		allow $1 security_t:security setbool;
+		allow $1 { boolean_type -secure_mode_policyload_t }:file write_file_perms;
+	}
 
-	if(!secure_mode_policyload) {
+	if(!secure_mode_policyload && !secure_mode_setbool) {
 		allow $1 secure_mode_policyload_t:file write_file_perms;
 	}
 ')

diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
index 3e4f2000..a1b4ae3e 100644
--- a/policy/modules/kernel/selinux.te
+++ b/policy/modules/kernel/selinux.te
@@ -7,13 +7,19 @@ policy_module(selinux, 1.18.0)
 
 ## <desc>
 ## <p>
-## Boolean to determine whether the system permits loading policy, setting
-## enforcing mode, and changing boolean values.  Set this to true and you
-## have to reboot to set it back.
+## Boolean to determine whether the system permits loading policy, and setting
+## enforcing mode.  Set this to true and you have to reboot to set it back.
 ## </p>
 ## </desc>
 gen_bool(secure_mode_policyload,false)
 
+## <desc>
+## <p>
+## Boolean to determine whether the system permits setting Booelan values.
+## </p>
+## </desc>
+gen_bool(secure_mode_setbool,false)
+
 attribute boolean_type;
 attribute can_load_policy;
 attribute can_setenforce;
@@ -91,12 +97,22 @@ dev_search_sysfs(can_setsecparam)
 allow selinux_unconfined_type security_t:dir list_dir_perms;
 allow selinux_unconfined_type security_t:file rw_file_perms;
 allow selinux_unconfined_type boolean_type:file read_file_perms;
-allow selinux_unconfined_type { boolean_type -secure_mode_policyload_t }:file write_file_perms;
 
 # Access the security API.
-allow selinux_unconfined_type security_t:security { compute_av compute_create compute_member check_context compute_relabel compute_user setbool setsecparam setcheckreqprot read_policy validate_trans };
+allow selinux_unconfined_type security_t:security { compute_av compute_create compute_member check_context compute_relabel compute_user setsecparam setcheckreqprot read_policy validate_trans };
 
-if(!secure_mode_policyload) {
+if (!secure_mode_policyload) {
 	allow selinux_unconfined_type security_t:security { load_policy setenforce };
-	allow selinux_unconfined_type secure_mode_policyload_t:file write_file_perms;
+}
+
+if (!secure_mode_setbool) {
+	allow selinux_unconfined_type security_t:security setbool;
+}
+
+if (secure_mode_policyload && !secure_mode_setbool) {
+	allow selinux_unconfined_type { boolean_type -secure_mode_policyload_t }:file write_file_perms;
+}
+
+if (!secure_mode_policyload && !secure_mode_setbool) {
+	allow selinux_unconfined_type boolean_type:file write_file_perms;
 }