[refpolicy] [PATCH 1/1] Allow semanage_t to manage directories
dsugar at tresys.com
Thu Oct 12 16:10:51 UTC 2017
> -----Original Message-----
> From: Chris PeBenito [mailto:pebenito at ieee.org]
> Sent: Wednesday, October 11, 2017 6:34 PM
> To: David Sugar; refpolicy at oss.tresys.com
> Subject: Re: [refpolicy] [PATCH 1/1] Allow semanage_t to manage
> On 10/11/2017 11:08 AM, David Sugar via refpolicy wrote:
> > Using semodule to install a module (and in turn rebuild the policy) is
> making a tmp directory. This directory creation was being denied (see
> below audit logs). The change allows these directories to be created
> (and removed).
... snip ...
> > Signed-off-by: Dave Sugar <dsugar at tresys.com>
> > ---
> > policy/modules/system/selinuxutil.te | 1 +
> > 1 file changed, 1 insertion(+)
> > diff --git a/policy/modules/system/selinuxutil.te
> > b/policy/modules/system/selinuxutil.te
> > index e9f86664..b14a901d 100644
> > --- a/policy/modules/system/selinuxutil.te
> > +++ b/policy/modules/system/selinuxutil.te
> > @@ -525,6 +525,7 @@ miscfiles_read_localization(semanage_t)
> > seutil_libselinux_linked(semanage_t)
> > seutil_manage_file_contexts(semanage_t)
> > seutil_manage_config(semanage_t)
> > +seutil_manage_config_dirs(semanage_t)
> > seutil_run_setfiles(semanage_t, semanage_roles)
> > seutil_run_loadpolicy(semanage_t, semanage_roles)
> > seutil_manage_bin_policy(semanage_t)
> This shouldn't be necessary as current systems have the module store in
> /var/lib/selinux, which is all semanage_store_t.
Thanks for pointing this out. It turns out that RHEL 7.3 (and 7.4) are still defaulting the store-root to /etc/selinux hence the denial I was seeing. They make a reference to this in the 7.3 release notes, "Chapter 15: Security" (page 83) of the RHEL 7.3 changelog  mentions the update of selinux userspace and the /var/lib/selinux vs /etc/selinux issue. Supposedly RedHat bugzilla #1297815 contains the reason they default to /etc/selinux, but it looks like it isn't a publicly viewable bug.
I have changed the store-root in /etc/selinux/semange.conf to point to /var/lib/selinux on the system I am working on and it seems to be functioning correctly (with minimal testing so far). If for some reason I find problems I will resubmit with an 'ifdef(distro_redhat)' around that interface call.
> Chris PeBenito
More information about the refpolicy