[refpolicy] restorecon needs to read bin_t symlinks

Guido Trentalancia guido at trentalancia.com
Sat Mar 19 10:45:06 CDT 2011 

Hello !

I have recently started to experience AVC denials due to restorecon
trying to read bin_t symbolic links. It is not entirely clear to me what
is triggering this, since everything has been working fine for a long
time.

In any case, I had to apply the following patch on my system (and I am
still asking myself why not files_read_all_symlinks then ?):

diff -pruN refpolicy-git-17032011/policy/modules/kernel/files.if refpolicy-git-17032011-restorecon/policy/modules/kernel/files.if
--- refpolicy-git-17032011/policy/modules/kernel/files.if	2011-02-22 18:50:44.460551925 +0100
+++ refpolicy-git-17032011-restorecon/policy/modules/kernel/files.if	2011-03-19 16:21:01.701636861 +0100
@@ -4425,7 +4425,28 @@ interface(`files_relabelfrom_usr_files',
 
 ########################################
 ## <summary>
-##	Read symbolic links in /usr.
+##	Read symbolic links with type
+##	bin_t (usually located in /bin,
+##	/sbin, /usr/bin and /usr/sbin).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_read_bin_symlinks',`
+	gen_require(`
+		type bin_t;
+	')
+
+	read_lnk_files_pattern($1, bin_t, bin_t)
+')
+
+########################################
+## <summary>
+##	Read symbolic links with type
+##	usr_t (usually located in /usr).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
diff -pruN refpolicy-git-17032011/policy/modules/system/selinuxutil.te refpolicy-git-17032011-restorecon/policy/modules/system/selinuxutil.te
--- refpolicy-git-17032011/policy/modules/system/selinuxutil.te	2011-01-17 19:36:10.814131755 +0100
+++ refpolicy-git-17032011-restorecon/policy/modules/system/selinuxutil.te	2011-03-19 16:16:13.198810817 +0100
@@ -527,6 +527,7 @@ files_read_etc_runtime_files(setfiles_t)
 files_read_etc_files(setfiles_t)
 files_list_all(setfiles_t)
 files_relabel_all_files(setfiles_t)
+files_read_bin_symlinks(setfiles_t)
 files_read_usr_symlinks(setfiles_t)
 
 fs_getattr_xattr_fs(setfiles_t)

More information about the refpolicy mailing list