[refpolicy] seutil_manage_module_store interface missing filetrans

Christopher J. PeBenito cpebenito at tresys.com
Tue Jan 14 08:51:13 EST 2014


On 01/14/14 05:57, Laurent Bigonville wrote:
> Hi,
> 
> I've noticed several days ago that semodules operations where failing
> in enforcing mode. When adding a module:
> 
> libsemanage.semanage_make_sandbox: Could not copy files to sandbox /etc/selinux/default/modules/tmp. (Permission denied).
> 
> Russel has proposed a patch to fix this this (side note:Russel, I think this
> should go in the seutil_manage_module_store interface instead of
> the .te):
> 
> filetrans_pattern(semanage_t, selinux_config_t, semanage_store_t, dir, "tmp")
> 
> Looking at the Fedora policy, they also have:
> 
> filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "active")
> filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "previous")
> 
> So I'll propose a patch to add these 3 rules.
> 
> But seutil_manage_module_store also contains:
> 
> filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules")
> 
> This seems bogus to me if I'm looking at the .fc,
> the /etc/selinux/default/modules directory is labeled as
> selinux_config_t and not semanage_store_t.
> And /etc/selinux/default/modules/active/modules will inherit the proper
> context from the parent.
> 
> So I'm not really sure this to which "modules" directory this was
> referring to (I guess the toplevel one), and if the fcontext should be
> modified or this rule be dropped?

It should all be simplified, as everything under /etc/selinux/*/modules should be semanage_store_t, except for the two .LOCK files.  Then we can probably drop the filetrans out of seutil_manage_module_store().  My guess is that rule found its way there due to seutil_manage_module_store(semanage_t).  On further consideration, I think only semanage_t should be creating that directory[1], so it should be the only domain with that filetrans.


[1] package managers too, but they should work correclty since they matchpathcon/setfscreate on the stuff they install

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com


More information about the refpolicy mailing list