[Resending after accidentally dropping cc to the list]

On 31/08/2011 18:15, Stephen Smalley wrote:

The logic in selinux_set_enforce_mode() in
policy/modules/kernel/selinux.if is:
...
       if(!secure_mode_policyload) {
                 allow $1 security_t:security setenforce;
...
}

Notice the logical negation (!) in the above if statement.

Ah, thank you!  I had looked at those lines ealier, without fully understanding how the policy fitted together.  Indeed, I set  secure_mode_policyload to 'on' based on that code to fix the fact that root could still run setenforce, even without changing role to secadm_r.  But unfortuantely, I see now, the reason root could run setenforce without changing to secadm_r is that root gets sysadm_r by default - and changing secure_mode_loadpolicy prevents *both* sysadm_r *and* secadm_r from administering policy - which wasn't what I was trying to achieve.

                ifdef(`enable_mls',`
                        userdom_security_administrator(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
#                       tunable_policy(`allow_sysadm_manage_security',`
                                userdom_security_administrator(sysadm_t,sysadm_r,admin_terminal)
#                       ')

If the allow_sysadm_manage_security boolean was implemented in this policy then I could simply set that to 'off'.   Given it's not - what's the best way to grant this permission to secadm_r only?  Presumably I want to set secure_mode_loadpolicy to 'on' as now so that the shipped policy doesn't give permissions, and then load some custom TE rules to add the necessary permissions for secadm_r to administer security policy?

Regards

roy