diff --git a/refpolicy/policy/modules/kernel/selinux.if b/refpolicy/policy/modules/kernel/selinux.if index 3a64fca..08c2907 100644 --- a/refpolicy/policy/modules/kernel/selinux.if +++ b/refpolicy/policy/modules/kernel/selinux.if @@ -394,20 +394,8 @@ interface(`selinux_compute_user_contexts',` # interface(`selinux_unconfined',` gen_require(` - attribute can_load_policy, can_setenforce, can_setsecparam; - bool secure_mode_policyload; - type security_t; + attribute selinux_unconfined_type; ') - # use SELinuxfs - allow $1 security_t:dir { getattr search read }; - allow $1 security_t:file { getattr read write }; - - typeattribute $1 can_load_policy, can_setenforce, can_setsecparam; - - if(!secure_mode_policyload) { - # Access the security API. - allow $1 security_t:security *; - auditallow $1 security_t:security { load_policy setenforce setbool }; - } + typeattribute $1 selinux_unconfined_type; ') diff --git a/refpolicy/policy/modules/kernel/selinux.te b/refpolicy/policy/modules/kernel/selinux.te index bfa5712..5d60938 100644 --- a/refpolicy/policy/modules/kernel/selinux.te +++ b/refpolicy/policy/modules/kernel/selinux.te @@ -1,5 +1,5 @@ -policy_module(selinux,1.1.0) +policy_module(selinux,1.1.1) ######################################## # @@ -9,6 +9,7 @@ policy_module(selinux,1.1.0) attribute can_load_policy; attribute can_setenforce; attribute can_setsecparam; +attribute selinux_unconfined_type; # # security_t is the target type when checking @@ -21,6 +22,23 @@ mls_trusted_object(security_t) sid security gen_context(system_u:object_r:security_t,s15:c0.c255) genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0) -neverallow ~can_load_policy security_t:security load_policy; -neverallow ~can_setenforce security_t:security setenforce; -neverallow ~can_setsecparam security_t:security setsecparam; +neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy; +neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce; +neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam; + +######################################## +# +# Unconfined access to this module +# + +# use SELinuxfs +allow selinux_unconfined_type security_t:dir { getattr search read }; +allow selinux_unconfined_type security_t:file { getattr read write }; + +# Access the security API. +allow selinux_unconfined_type security_t:security ~{ load_policy setenforce setbool }; + +if(!secure_mode_policyload) { + allow selinux_unconfined_type security_t:security { load_policy setenforce setbool }; + auditallow selinux_unconfined_type security_t:security { load_policy setenforce setbool }; +} diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if index 97e99db..ba8dc8a 100644 --- a/refpolicy/policy/modules/system/unconfined.if +++ b/refpolicy/policy/modules/system/unconfined.if @@ -56,10 +56,6 @@ interface(`unconfined_domain_noaudit',` # Allow making the stack executable via mprotect. allow $1 self:process execstack; # auditallow $1 self:process execstack; - ', ` - # These are fairly common but seem to be harmless - # caused by using shared libraries built with old tool chains - #dontaudit $1 self:process execstack; ') @@ -73,6 +69,8 @@ interface(`unconfined_domain_noaudit',` ') optional_policy(` + # this is to handle execmod on shared + # libs with text relocations libs_use_shared_libs($1) ')