[refpolicy] [PATCH 1/1] Allow semanage_t to manage directories

David Sugar dsugar at tresys.com
Wed Oct 11 15:08:19 UTC 2017


Using semodule to install a module (and in turn rebuild the policy) is making a tmp directory.  This directory creation was being denied (see below audit logs).  The change allows these directories to be created (and removed).

type=AVC msg=audit(1507612960.892:118): avc:  denied  { create } for pid=760 comm="semodule" name="tmp" scontext=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:selinux_config_t:s0 tclass=dir type=SYSCALL msg=audit(1507612960.892:118): arch=c000003e syscall=83 success=yes exit=0 a0=7f1c74600a50 a1=1c0 a2=fffffffffffffe90 a3=7ffd2b0c8500 items=2 ppid=759 pid=760 auid=998 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="semodule" exe="/usr/sbin/semodule" subj=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1507612985.155:120): avc:  denied  { rename } for pid=760 comm="semodule" name="active" dev="dm-0" ino=9858 scontext=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir 
type=SYSCALL msg=audit(1507612985.155:120): arch=c000003e syscall=82 success=yes exit=0 a0=7f1c74600590 a1=7f1c74601170 a2=fffffffffffffe90 a3=4 items=4 ppid=759 pid=760 auid=998 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="semodule" exe="/usr/sbin/semodule" subj=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1507612985.156:121): avc:  denied  { rename } for pid=760 comm="semodule" name="tmp" dev="dm-0" ino=9880 scontext=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:selinux_config_t:s0 tclass=dir
type=SYSCALL msg=audit(1507612985.156:121): arch=c000003e syscall=82 success=yes exit=0 a0=7f1c74600a50 a1=7f1c74600590 a2=fffffffffffffe90 a3=4 items=4 ppid=759 pid=760 auid=998 uid=0 gid=0 euid=0 0=fsuid 0=suid egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="semodule" exe="/usr/sbin/semodule" subj=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 key=(null)
type=MAC_POLICY_LOAD msg=audit(1507612985.219:123): policy loaded auid=998 ses=1
type=SYSCALL msg=audit(1507612985.219:123): arch=c000003e syscall=1 success=yes exit=596279 a0=4 a1=7f54cbec4010 a2=91937 a3=7ffcf0105890 items=0 ppid=760 pid=770 auid=998 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="load_policy" exe="/usr/sbin/load_policy" subj=staff_u:sysadm_r:load_policy_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(1507612985.491:124): avc:  denied  { rmdir } for pid=760 comm="semodule" name="base" dev="dm-0" ino=100978805 scontext=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
type=SYSCALL msg=audit(1507612985.491:124): arch=c000003e syscall=84 success=yes exit=0 a0=7ffd2b0c8190 a1=ffffffff a2=7f1c735a1788 a3=7ffd2b0c7c70 items=2 ppid=759 pid=760 auid=998 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="semodule" exe="/usr/sbin/semodule" subj=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1507612985.497:125): avc:  denied  { rmdir } for pid=760 comm="semodule" name="files" dev="dm-0" ino=100929366 scontext=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:selinux_config_t:s0 tclass=dir
type=SYSCALL msg=audit(1507612985.497:125): arch=c000003e syscall=84 success=yes exit=0 a0=7ffd2b0c8490 a1=ffffffff a2=7f1c735a1790 a3=1a items=2 ppid=759 pid=760 auid=998 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="semodule" exe="/usr/sbin/semodule" subj=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 key=(null)

Signed-off-by: Dave Sugar <dsugar at tresys.com>
---
 policy/modules/system/selinuxutil.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index e9f86664..b14a901d 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -525,6 +525,7 @@ miscfiles_read_localization(semanage_t)
 seutil_libselinux_linked(semanage_t)
 seutil_manage_file_contexts(semanage_t)
 seutil_manage_config(semanage_t)
+seutil_manage_config_dirs(semanage_t)
 seutil_run_setfiles(semanage_t, semanage_roles)
 seutil_run_loadpolicy(semanage_t, semanage_roles)
 seutil_manage_bin_policy(semanage_t)
-- 
2.13.5


More information about the refpolicy mailing list