[refpolicy] [PATCH] Label /etc/selinux/([^/]*/)?modules(/.*)? as semanage_store_t

Laurent Bigonville bigon at debian.org
Wed Jan 15 13:02:59 EST 2014


From: Laurent Bigonville <bigon at bigon.be>

Move the filetrans_patern out of the seutil_manage_module_store
interface as only semanage_t should be creating this directory
---
 policy/modules/system/selinuxutil.fc | 2 +-
 policy/modules/system/selinuxutil.if | 1 -
 policy/modules/system/selinuxutil.te | 2 ++
 3 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
index d43f3b1..ec19d63 100644
--- a/policy/modules/system/selinuxutil.fc
+++ b/policy/modules/system/selinuxutil.fc
@@ -9,7 +9,7 @@
 /etc/selinux/([^/]*/)?policy(/.*)?	gen_context(system_u:object_r:policy_config_t,mls_systemhigh)
 /etc/selinux/([^/]*/)?setrans\.conf --	gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
 /etc/selinux/([^/]*/)?seusers	--	gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
-/etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/selinux/([^/]*/)?modules(/.*)?	gen_context(system_u:object_r:semanage_store_t,s0)
 /etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
 /etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
 /etc/selinux/([^/]*/)?users(/.*)? --	gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index e5ff626..bee06f4 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -1044,7 +1044,6 @@ interface(`seutil_manage_module_store',`
 	manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
 	manage_files_pattern($1, semanage_store_t, semanage_store_t)
 	manage_lnk_files_pattern($1, semanage_store_t, semanage_store_t)
-	filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules")
 ')
 
 #######################################
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 551ac96..cb5610f 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -448,6 +448,8 @@ allow semanage_t self:fifo_file rw_fifo_file_perms;
 
 allow semanage_t policy_config_t:file rw_file_perms;
 
+filetrans_pattern(semanage_t, selinux_config_t, semanage_store_t, dir, "modules")
+
 allow semanage_t semanage_tmp_t:dir manage_dir_perms;
 allow semanage_t semanage_tmp_t:file manage_file_perms;
 files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
-- 
1.8.5.2



More information about the refpolicy mailing list