selinux: Add togglable selinux boot status
This commit is contained in:
Mohammad Afaneh
dmpstr
parent
a4195b3e8b
commit
aaf36b2803
|
|
@ -71,6 +71,20 @@ config SECURITY_SELINUX_DEVELOP
|
|||
can interactively toggle the kernel between enforcing mode and
|
||||
permissive mode (if permitted by the policy) via /selinux/enforce.
|
||||
|
||||
config SECURITY_SELINUX_ALWAYS_ENFORCE
|
||||
bool "NSA SELinux Always Enforcing"
|
||||
depends on SECURITY_SELINUX_DEVELOP
|
||||
default n
|
||||
help
|
||||
This option will prevent anything from setting SELinux to permissive.
|
||||
|
||||
config SECURITY_SELINUX_ALWAYS_PERMISSIVE
|
||||
bool "NSA SELinux Always Permissive"
|
||||
depends on SECURITY_SELINUX_DEVELOP
|
||||
default n
|
||||
help
|
||||
This option will prevent anything from setting SELinux to enforcing.
|
||||
|
||||
config SECURITY_SELINUX_AVC_STATS
|
||||
bool "NSA SELinux AVC Statistics"
|
||||
depends on SECURITY_SELINUX
|
||||
|
|
|
|||
|
|
@ -160,27 +160,16 @@ static ssize_t sel_write_enforce(struct file *file, const char __user *buf,
|
|||
new_value = !!new_value;
|
||||
|
||||
old_value = enforcing_enabled(state);
|
||||
// [ SEC_SELINUX_PORTING_COMMON
|
||||
#ifdef CONFIG_ALWAYS_ENFORCE
|
||||
// If build is user build and enforce option is set, selinux is always enforcing
|
||||
|
||||
#ifdef CONFIG_SECURITY_SELINUX_ALWAYS_ENFORCE
|
||||
// If always enforce option is set, selinux is always enforcing
|
||||
new_value = 1;
|
||||
length = avc_has_perm(&selinux_state,
|
||||
current_sid(), SECINITSID_SECURITY,
|
||||
SECCLASS_SECURITY, SECURITY__SETENFORCE,
|
||||
NULL);
|
||||
audit_log(audit_context(), GFP_KERNEL, AUDIT_MAC_STATUS,
|
||||
"enforcing=%d old_enforcing=%d auid=%u ses=%u"
|
||||
" enabled=%d old-enabled=%d lsm=selinux res=1",
|
||||
new_value, selinux_enforcing,
|
||||
from_kuid(&init_user_ns, audit_get_loginuid(current)),
|
||||
audit_get_sessionid(current),
|
||||
selinux_enabled, selinux_enabled);
|
||||
enforcing_set(state, new_value);
|
||||
avc_ss_reset(state->avc, 0);
|
||||
selnl_notify_setenforce(new_value);
|
||||
selinux_status_update_setenforce(state, new_value);
|
||||
#else
|
||||
if (new_value != selinux_enforcing) { // SEC_SELINUX_PORTING_COMMON Change to use RKP
|
||||
#elif defined(CONFIG_SECURITY_SELINUX_ALWAYS_PERMISSIVE)
|
||||
// If always permissive option is set, selinux is always permissive
|
||||
new_value = 0;
|
||||
#endif
|
||||
if (new_value != old_value) {
|
||||
|
||||
length = avc_has_perm(&selinux_state,
|
||||
current_sid(), SECINITSID_SECURITY,
|
||||
SECCLASS_SECURITY, SECURITY__SETENFORCE,
|
||||
|
|
|
|||
Loading…
Reference in a new issue