1088753 – SELinux boolean: secure_mode_policyload can be disabled when it was turned on

Bug 1088753 - SELinux boolean: secure_mode_policyload can be disabled when it was turned on

Summary: SELinux boolean: secure_mode_policyload can be disabled when it was turned on

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	20
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-04-17 06:43 UTC by Artur Szymczak
Modified:	2014-05-24 23:28 UTC (History)
CC List:	1 user (show)
Fixed In Version:	selinux-policy-3.12.1-166.fc20
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-05-24 23:28:10 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Artur Szymczak 2014-04-17 06:43:32 UTC

Description of problem:
According to man anaconda_selinux (and other selinux man pages):
[quote]
If you want to boolean to determine whether the system permits loading policy, setting enforcing mode, and  changing  boolean  values. Set this to true and you have to reboot to set it back, you must turn on the secure_mode_policyload boolean. Enabled by default.

       setsebool -P secure_mode_policyload 1
[/quote]
Yes, it is half-truth. WHen you turn on this boolean, then you cannot change enforcing mode, but you can disable this boolean. Tak a look at my steps to reproduce.

Version-Release number of selected component (if applicable):
kernel-3.13.9-200.fc20.x86_64
selinux-policy-targeted-3.12.1-149.fc20.noarch

How reproducible:
always

Steps to Reproduce:
[root@asus-ux21e ~]# getsebool -a| grep secure
secure_mode --> off
secure_mode_insmod --> off
secure_mode_policyload --> off
[root@asus-ux21e ~]# getenforce
Enforcing
[root@asus-ux21e ~]# setenforce 0; getenforce
Permissive
[root@asus-ux21e ~]# setenforce 1; getenforce
Enforcing
[root@asus-ux21e ~]# setsebool secure_mode=1 secure_mode_policyload=1
[root@asus-ux21e ~]# setenforce 0; getenforce
setenforce:  setenforce() failed
Enforcing
[root@asus-ux21e ~]# setsebool secure_mode_policyload=0
[root@asus-ux21e ~]# setenforce 0; getenforce
Permissive

Actual results:
secure_mode_policyload boolean, allows me to turn it off, when it is turned on.

Expected results:
It should be denied. Only way to disable, should be reboot system (if boolean was set with -P), and set SELinux in to permissive mode by kernel argument.

Additional info:

Comment 1 Daniel Walsh 2014-05-05 18:59:58 UTC

commit af982988c0cb8445adee9b144f34ee97cfcbb068
 fixes this in git.

Comment 2 Fedora Update System 2014-05-21 12:03:03 UTC

selinux-policy-3.12.1-166.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-166.fc20

Comment 3 Fedora Update System 2014-05-21 23:29:50 UTC

Package selinux-policy-3.12.1-166.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-166.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-6584/selinux-policy-3.12.1-166.fc20
then log in and leave karma (feedback).

Comment 4 Fedora Update System 2014-05-24 23:28:10 UTC

selinux-policy-3.12.1-166.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.