policy_module(selinux, 1.12.1) ######################################## # # Declarations # ## ##

## Boolean to determine whether the system permits loading policy, setting ## enforcing mode, and changing boolean values. Set this to true and you ## have to reboot to set it back. ##

##
gen_bool(secure_mode_policyload,false) attribute boolean_type; attribute can_load_policy; attribute can_setenforce; attribute can_setbool; attribute can_setsecparam; attribute selinux_unconfined_type; type secure_mode_policyload_t; selinux_labeled_boolean(secure_mode_policyload_t, secure_mode_policyload) # # security_t is the target type when checking # the permissions in the security class. It is also # applied to selinuxfs inodes. # type security_t, boolean_type; files_mountpoint(security_t) fs_type(security_t) mls_trusted_object(security_t) sid security gen_context(system_u:object_r:security_t,mls_systemhigh) genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0) genfscon securityfs / gen_context(system_u:object_r:security_t,s0) neverallow ~{ can_load_policy } security_t:security load_policy; neverallow ~{ can_setenforce } security_t:security setenforce; neverallow ~{ can_setsecparam } security_t:security setsecparam; ######################################## # # Unconfined access to this module # # use SELinuxfs allow selinux_unconfined_type security_t:dir list_dir_perms; allow selinux_unconfined_type security_t:file rw_file_perms; allow selinux_unconfined_type boolean_type:file read_file_perms; allow selinux_unconfined_type { boolean_type -secure_mode_policyload_t }:file write_file_perms; # Access the security API. allow selinux_unconfined_type security_t:security ~{ load_policy setenforce setbool }; ifdef(`distro_rhel4',` # needed for systems without audit support auditallow selinux_unconfined_type security_t:security setbool; ') if(!secure_mode_policyload) { allow can_setenforce security_t:security setenforce; dev_getattr_sysfs_fs(can_setenforce) dev_search_sysfs(can_setenforce) allow can_setenforce security_t:dir list_dir_perms; allow can_setenforce security_t:file rw_file_perms; ifdef(`distro_rhel4',` # needed for systems without audit support auditallow can_setenforce security_t:security setenforce; ') allow can_load_policy security_t:security load_policy; ifdef(`distro_rhel4',` # needed for systems without audit support auditallow can_load_policy security_t:security load_policy; ') allow can_setbool boolean_type:security setbool; ifdef(`distro_rhel4',` # needed for systems without audit support auditallow can_setbool boolean_type:security setbool; ') }