[refpolicy] two fixups for semanage_t: able to read from userhomedirs and manage policy store dir

HarryCiao harrytaurus2002 at hotmail.com
Mon Dec 20 21:35:24 CST 2010


1. 
Make semanage_t able to read from user homedirs or /tmp. Otherwise it
would fail to upgrade a .pp installed in there with below error messages.
BTW, semanage_t should be able to upgrade existing pp no matter if the
MLS is enabled or not.
 
root at qemu-host:/root> semodule -u selinuxutil.pp
type=1400 audit(1288862875.298:60): avc: denied { search } for pid=759 comm="semodule" name="root" dev=sda ino=81921 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_dir_t:s0-s15:c0.c1023 tclass=dir
semodule: Failed on selinuxutil.pp!
root at qemu-host:/root> setenforce 0
type=1404 audit(1288862957.386:61): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295
root at qemu-host:/root> semodule -u selinuxutil.pp
type=1400 audit(1288862959.494:62): avc: denied { search } for pid=761 comm="semodule" name="root" dev=sda ino=81921 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_dir_t:s0-s15:c0.c1023 tclass=dir
type=1400 audit(1288862959.498:63): avc: denied { read } for pid=761 comm="semodule" name="selinuxutil.pp" dev=sda ino=82505 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=file
type=1400 audit(1288862959.503:64): avc: denied { open } for pid=761 comm="semodule" name="selinuxutil.pp" dev=sda ino=82505 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=file
type=1400 audit(1288862959.507:65): avc: denied { getattr } for pid=761 comm="semodule" path="/root/selinuxutil.pp" dev=sda ino=82505 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=file
type=1403 audit(1288863419.918:66): policy loaded auid=4294967295 ses=4294967295
root at qemu-host:/root>
 
2. 
Make semanage_t able to manage the policy store directory, otherwise it
would fail to update an existing pp.
 
root at qemu-host:/root> semodule -u vlock.pp
type=1400 audit(1288236528.567:27): avc: denied { rename } for pid=696 comm="semodule" name="active" dev=sda ino=76175 scontext=root:sysadm_r:semanage_t tcontext=unconfined_u:object_r:selinux_config_t tclass=dir
libsemanage.semanage_commit_sandbox: Error while renaming /etc/selinux/refpolicy/modules/active to /etc/selinux/refpolicy/modules/previous. (Permission denied).
semodule: Failed!
 
type=1400 audit(1288239973.335:31): avc: denied { rmdir } for pid=701 comm="semodule" name="modules" dev=sda ino=76184 scontext=root:sysadm_r:semanage_t tcontext=unconfined_u:object_r:selinux_config_t tclass=dir 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20101221/6d3c6246/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-semanage_t-read-from-userhomedirs.patch
Type: application/octet-stream
Size: 3175 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101221/6d3c6246/attachment-0002.obj 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-semanage_t-manage-policy-store.patch
Type: application/octet-stream
Size: 1697 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101221/6d3c6246/attachment-0003.obj 


More information about the refpolicy mailing list