[refpolicy] seutil_manage_module_store interface missing filetrans

Laurent Bigonville bigon at debian.org
Tue Jan 14 08:59:58 EST 2014


Le Tue, 14 Jan 2014 08:51:13 -0500,
"Christopher J. PeBenito" <cpebenito at tresys.com> a écrit :

> On 01/14/14 05:57, Laurent Bigonville wrote:
> > Hi,
> > 
> > I've noticed several days ago that semodules operations where
> > failing in enforcing mode. When adding a module:
> > 
> > libsemanage.semanage_make_sandbox: Could not copy files to
> > sandbox /etc/selinux/default/modules/tmp. (Permission denied).
> > 
> > Russel has proposed a patch to fix this this (side note:Russel, I
> > think this should go in the seutil_manage_module_store interface
> > instead of the .te):
> > 
> > filetrans_pattern(semanage_t, selinux_config_t, semanage_store_t,
> > dir, "tmp")
> > 
> > Looking at the Fedora policy, they also have:
> > 
> > filetrans_pattern($1, selinux_config_t, semanage_store_t, dir,
> > "active") filetrans_pattern($1, selinux_config_t, semanage_store_t,
> > dir, "previous")
> > 
> > So I'll propose a patch to add these 3 rules.
> > 
> > But seutil_manage_module_store also contains:
> > 
> > filetrans_pattern($1, selinux_config_t, semanage_store_t, dir,
> > "modules")
> > 
> > This seems bogus to me if I'm looking at the .fc,
> > the /etc/selinux/default/modules directory is labeled as
> > selinux_config_t and not semanage_store_t.
> > And /etc/selinux/default/modules/active/modules will inherit the
> > proper context from the parent.
> > 
> > So I'm not really sure this to which "modules" directory this was
> > referring to (I guess the toplevel one), and if the fcontext should
> > be modified or this rule be dropped?
> 
> It should all be simplified, as everything
> under /etc/selinux/*/modules should be semanage_store_t, except for
> the two .LOCK files.  Then we can probably drop the filetrans out of
> seutil_manage_module_store().  My guess is that rule found its way
> there due to seutil_manage_module_store(semanage_t).  On further
> consideration, I think only semanage_t should be creating that
> directory[1], so it should be the only domain with that filetrans.

So something like:

-/etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/selinux/([^/]*/)?modules(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)

And the filetrans currently in the policy (for "modules" directory) can
stay?



More information about the refpolicy mailing list