[COMMIT]refpolicy branch, master, updated. contrib-28-g8e94109

Reference Policy commits mail list refpolicy-commits at oss.tresys.com
Mon Sep 26 10:20:31 CDT 2011 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "refpolicy".

The branch, master has been updated
       via  8e94109c5226dc7fb370e65c1dbd8a1f60c5913c (commit)
       via  aecd12c7b0afe052555cd49da7f4a306ae457fcf (commit)
      from  7d6b1e5889ce275c31d29f5c88e976d805552e5c (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 8e94109c5226dc7fb370e65c1dbd8a1f60c5913c
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Mon Sep 26 10:44:27 2011 -0400

    Change secure_mode_policyload to disable only toggling of this Boolean rather than disabling all Boolean toggling permissions.

commit aecd12c7b0afe052555cd49da7f4a306ae457fcf
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Mon Sep 26 09:53:23 2011 -0400

    Move secure_mode_policyload into selinux module as that is the only place it is used.

-----------------------------------------------------------------------

Summary of changes:
 Changelog                        |    2 ++
 policy/global_booleans           |    9 ---------
 policy/modules/kernel/selinux.if |   32 ++++++++++++++++----------------
 policy/modules/kernel/selinux.te |   28 +++++++++++++++++++++++-----
 4 files changed, 41 insertions(+), 30 deletions(-)

Detailed diffset:
:100644 100644 6f1a3c7... 3685f81... M	Changelog
:100644 100644 71ff141... 66e85ea... M	policy/global_booleans
:100644 100644 ca7e808... 81440c5... M	policy/modules/kernel/selinux.if
:100644 100644 4baa2b9... e17c927... M	policy/modules/kernel/selinux.te

diff --git a/Changelog b/Changelog
index 6f1a3c7..3685f81 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,5 @@
+- Change secure_mode_policyload to disable only toggling of this Boolean
+  rather than disabling all Boolean toggling permissions.
 - Use role attributes to assist with domain transitions in interactive
   programs.
 - Milter ports patch from Paul Howarth.
diff --git a/policy/global_booleans b/policy/global_booleans
index 71ff141..66e85ea 100644
--- a/policy/global_booleans
+++ b/policy/global_booleans
@@ -12,12 +12,3 @@
 ## </p>
 ## </desc>
 gen_bool(secure_mode,false)
-
-## <desc>
-## <p>
-## boolean to determine whether the system permits loading policy, setting
-## enforcing mode, and changing boolean values.  Set this to true and you
-## have to reboot to set it back
-## </p>
-## </desc>
-gen_bool(secure_mode_policyload,false)
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index ca7e808..81440c5 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -433,20 +433,17 @@ interface(`selinux_set_boolean',`
 interface(`selinux_set_generic_booleans',`
 	gen_require(`
 		type security_t;
-		bool secure_mode_policyload;
 	')
 
 	allow $1 security_t:dir list_dir_perms;
 	allow $1 security_t:file rw_file_perms;
 
-	if(!secure_mode_policyload) {
-		allow $1 security_t:security setbool;
+	allow $1 security_t:security setbool;
 
-		ifdef(`distro_rhel4',`
-			# needed for systems without audit support
-			auditallow $1 security_t:security setbool;
-		')
-	}
+	ifdef(`distro_rhel4',`
+		# needed for systems without audit support
+		auditallow $1 security_t:security setbool;
+	')
 ')
 
 ########################################
@@ -473,21 +470,24 @@ interface(`selinux_set_generic_booleans',`
 #
 interface(`selinux_set_all_booleans',`
 	gen_require(`
-		type security_t;
+		type security_t, secure_mode_policyload_t;
 		attribute boolean_type;
 		bool secure_mode_policyload;
 	')
 
 	allow $1 security_t:dir list_dir_perms;
-	allow $1 boolean_type:file rw_file_perms;
+	allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms;
+	allow $1 secure_mode_policyload_t:file read_file_perms;
 
-	if(!secure_mode_policyload) {
-		allow $1 security_t:security setbool;
+	allow $1 security_t:security setbool;
 
-		ifdef(`distro_rhel4',`
-			# needed for systems without audit support
-			auditallow $1 security_t:security setbool;
-		')
+	ifdef(`distro_rhel4',`
+		# needed for systems without audit support
+		auditallow $1 security_t:security setbool;
+	')
+
+	if(!secure_mode_policyload) {
+		allow $1 secure_mode_policyload_t:file write_file_perms;
 	}
 ')
 
diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
index 4baa2b9..e17c927 100644
--- a/policy/modules/kernel/selinux.te
+++ b/policy/modules/kernel/selinux.te
@@ -1,16 +1,28 @@
-policy_module(selinux, 1.10.0)
+policy_module(selinux, 1.10.1)
 
 ########################################
 #
 # Declarations
 #
 
+## <desc>
+## <p>
+## Boolean to determine whether the system permits loading policy, setting
+## enforcing mode, and changing boolean values.  Set this to true and you
+## have to reboot to set it back.
+## </p>
+## </desc>
+gen_bool(secure_mode_policyload,false)
+
 attribute boolean_type;
 attribute can_load_policy;
 attribute can_setenforce;
 attribute can_setsecparam;
 attribute selinux_unconfined_type;
 
+type secure_mode_policyload_t;
+selinux_labeled_boolean(secure_mode_policyload_t, secure_mode_policyload)
+
 # 
 # security_t is the target type when checking
 # the permissions in the security class.  It is also
@@ -36,16 +48,22 @@ neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security sets
 allow selinux_unconfined_type security_t:dir list_dir_perms;
 allow selinux_unconfined_type security_t:file rw_file_perms;
 allow selinux_unconfined_type boolean_type:file read_file_perms;
+allow selinux_unconfined_type { boolean_type -secure_mode_policyload_t }:file write_file_perms;
 
 # Access the security API.
-allow selinux_unconfined_type security_t:security ~{ load_policy setenforce setbool };
+allow selinux_unconfined_type security_t:security ~{ load_policy setenforce };
+
+ifdef(`distro_rhel4',`
+	# needed for systems without audit support
+	auditallow selinux_unconfined_type security_t:security setbool;
+')
 
 if(!secure_mode_policyload) {
-	allow selinux_unconfined_type boolean_type:file rw_file_perms;
-	allow selinux_unconfined_type security_t:security { load_policy setenforce setbool };
+	allow selinux_unconfined_type security_t:security { load_policy setenforce };
+	allow selinux_unconfined_type secure_mode_policyload_t:file write_file_perms;
 
 	ifdef(`distro_rhel4',`
 		# needed for systems without audit support
-		auditallow selinux_unconfined_type security_t:security { load_policy setenforce setbool };
+		auditallow selinux_unconfined_type security_t:security { load_policy setenforce };
 	')
 }


hooks/post-receive
--
refpolicy

More information about the Refpolicy-commits mailing list