[refpolicy] seutil_manage_module_store interface missing filetrans

Christopher J. PeBenito cpebenito at tresys.com
Tue Jan 14 09:05:23 EST 2014


On Tue Jan 14 08:59:58 2014, Laurent Bigonville wrote:
> Le Tue, 14 Jan 2014 08:51:13 -0500,
> "Christopher J. PeBenito" <cpebenito at tresys.com> a écrit :
>
>> On 01/14/14 05:57, Laurent Bigonville wrote:
>>> Hi,
>>>
>>> I've noticed several days ago that semodules operations where
>>> failing in enforcing mode. When adding a module:
>>>
>>> libsemanage.semanage_make_sandbox: Could not copy files to
>>> sandbox /etc/selinux/default/modules/tmp. (Permission denied).
>>>
>>> Russel has proposed a patch to fix this this (side note:Russel, I
>>> think this should go in the seutil_manage_module_store interface
>>> instead of the .te):
>>>
>>> filetrans_pattern(semanage_t, selinux_config_t, semanage_store_t,
>>> dir, "tmp")
>>>
>>> Looking at the Fedora policy, they also have:
>>>
>>> filetrans_pattern($1, selinux_config_t, semanage_store_t, dir,
>>> "active") filetrans_pattern($1, selinux_config_t, semanage_store_t,
>>> dir, "previous")
>>>
>>> So I'll propose a patch to add these 3 rules.
>>>
>>> But seutil_manage_module_store also contains:
>>>
>>> filetrans_pattern($1, selinux_config_t, semanage_store_t, dir,
>>> "modules")
>>>
>>> This seems bogus to me if I'm looking at the .fc,
>>> the /etc/selinux/default/modules directory is labeled as
>>> selinux_config_t and not semanage_store_t.
>>> And /etc/selinux/default/modules/active/modules will inherit the
>>> proper context from the parent.
>>>
>>> So I'm not really sure this to which "modules" directory this was
>>> referring to (I guess the toplevel one), and if the fcontext should
>>> be modified or this rule be dropped?
>>
>> It should all be simplified, as everything
>> under /etc/selinux/*/modules should be semanage_store_t, except for
>> the two .LOCK files.  Then we can probably drop the filetrans out of
>> seutil_manage_module_store().  My guess is that rule found its way
>> there due to seutil_manage_module_store(semanage_t).  On further
>> consideration, I think only semanage_t should be creating that
>> directory[1], so it should be the only domain with that filetrans.
>
> So something like:
>
> -/etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
> +/etc/selinux/([^/]*/)?modules(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
>
> And the filetrans currently in the policy (for "modules" directory) can
> stay?

Correct on the fc, but I'd move the filetrans out of the interface back 
into the .te, for semanage_t.


--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com


More information about the refpolicy mailing list