[refpolicy] [PATCH 1/1] Allow semanage_t to manage directories

Chris PeBenito pebenito at ieee.org
Wed Oct 11 22:34:10 UTC 2017


On 10/11/2017 11:08 AM, David Sugar via refpolicy wrote:
> Using semodule to install a module (and in turn rebuild the policy) is making a tmp directory.  This directory creation was being denied (see below audit logs).  The change allows these directories to be created (and removed).
> 
> type=AVC msg=audit(1507612960.892:118): avc:  denied  { create } for pid=760 comm="semodule" name="tmp" scontext=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:selinux_config_t:s0 tclass=dir type=SYSCALL msg=audit(1507612960.892:118): arch=c000003e syscall=83 success=yes exit=0 a0=7f1c74600a50 a1=1c0 a2=fffffffffffffe90 a3=7ffd2b0c8500 items=2 ppid=759 pid=760 auid=998 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="semodule" exe="/usr/sbin/semodule" subj=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1507612985.155:120): avc:  denied  { rename } for pid=760 comm="semodule" name="active" dev="dm-0" ino=9858 scontext=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
> type=SYSCALL msg=audit(1507612985.155:120): arch=c000003e syscall=82 success=yes exit=0 a0=7f1c74600590 a1=7f1c74601170 a2=fffffffffffffe90 a3=4 items=4 ppid=759 pid=760 auid=998 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="semodule" exe="/usr/sbin/semodule" subj=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1507612985.156:121): avc:  denied  { rename } for pid=760 comm="semodule" name="tmp" dev="dm-0" ino=9880 scontext=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:selinux_config_t:s0 tclass=dir
> type=SYSCALL msg=audit(1507612985.156:121): arch=c000003e syscall=82 success=yes exit=0 a0=7f1c74600a50 a1=7f1c74600590 a2=fffffffffffffe90 a3=4 items=4 ppid=759 pid=760 auid=998 uid=0 gid=0 euid=0 0=fsuid 0=suid egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="semodule" exe="/usr/sbin/semodule" subj=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 key=(null)
> type=MAC_POLICY_LOAD msg=audit(1507612985.219:123): policy loaded auid=998 ses=1
> type=SYSCALL msg=audit(1507612985.219:123): arch=c000003e syscall=1 success=yes exit=596279 a0=4 a1=7f54cbec4010 a2=91937 a3=7ffcf0105890 items=0 ppid=760 pid=770 auid=998 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="load_policy" exe="/usr/sbin/load_policy" subj=staff_u:sysadm_r:load_policy_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1507612985.491:124): avc:  denied  { rmdir } for pid=760 comm="semodule" name="base" dev="dm-0" ino=100978805 scontext=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
> type=SYSCALL msg=audit(1507612985.491:124): arch=c000003e syscall=84 success=yes exit=0 a0=7ffd2b0c8190 a1=ffffffff a2=7f1c735a1788 a3=7ffd2b0c7c70 items=2 ppid=759 pid=760 auid=998 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="semodule" exe="/usr/sbin/semodule" subj=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1507612985.497:125): avc:  denied  { rmdir } for pid=760 comm="semodule" name="files" dev="dm-0" ino=100929366 scontext=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:selinux_config_t:s0 tclass=dir
> type=SYSCALL msg=audit(1507612985.497:125): arch=c000003e syscall=84 success=yes exit=0 a0=7ffd2b0c8490 a1=ffffffff a2=7f1c735a1790 a3=1a items=2 ppid=759 pid=760 auid=998 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="semodule" exe="/usr/sbin/semodule" subj=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 key=(null)
> 
> Signed-off-by: Dave Sugar <dsugar at tresys.com>
> ---
>   policy/modules/system/selinuxutil.te | 1 +
>   1 file changed, 1 insertion(+)
> 
> diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
> index e9f86664..b14a901d 100644
> --- a/policy/modules/system/selinuxutil.te
> +++ b/policy/modules/system/selinuxutil.te
> @@ -525,6 +525,7 @@ miscfiles_read_localization(semanage_t)
>   seutil_libselinux_linked(semanage_t)
>   seutil_manage_file_contexts(semanage_t)
>   seutil_manage_config(semanage_t)
> +seutil_manage_config_dirs(semanage_t)
>   seutil_run_setfiles(semanage_t, semanage_roles)
>   seutil_run_loadpolicy(semanage_t, semanage_roles)
>   seutil_manage_bin_policy(semanage_t)


This shouldn't be necessary as current systems have the module store in 
/var/lib/selinux, which is all semanage_store_t.

-- 
Chris PeBenito


More information about the refpolicy mailing list