[refpolicy] [PATCH 1/1] Allow semanage_t to manage directories

David Sugar dsugar at tresys.com
Thu Oct 12 16:10:51 UTC 2017



> -----Original Message-----
> From: Chris PeBenito [mailto:pebenito at ieee.org]
> Sent: Wednesday, October 11, 2017 6:34 PM
> To: David Sugar; refpolicy at oss.tresys.com
> Subject: Re: [refpolicy] [PATCH 1/1] Allow semanage_t to manage
> directories
> 
> On 10/11/2017 11:08 AM, David Sugar via refpolicy wrote:
> > Using semodule to install a module (and in turn rebuild the policy) is
> making a tmp directory.  This directory creation was being denied (see
> below audit logs).  The change allows these directories to be created
> (and removed).
> >
 ... snip ...
> >
> > Signed-off-by: Dave Sugar <dsugar at tresys.com>
> > ---
> >   policy/modules/system/selinuxutil.te | 1 +
> >   1 file changed, 1 insertion(+)
> >
> > diff --git a/policy/modules/system/selinuxutil.te
> > b/policy/modules/system/selinuxutil.te
> > index e9f86664..b14a901d 100644
> > --- a/policy/modules/system/selinuxutil.te
> > +++ b/policy/modules/system/selinuxutil.te
> > @@ -525,6 +525,7 @@ miscfiles_read_localization(semanage_t)
> >   seutil_libselinux_linked(semanage_t)
> >   seutil_manage_file_contexts(semanage_t)
> >   seutil_manage_config(semanage_t)
> > +seutil_manage_config_dirs(semanage_t)
> >   seutil_run_setfiles(semanage_t, semanage_roles)
> >   seutil_run_loadpolicy(semanage_t, semanage_roles)
> >   seutil_manage_bin_policy(semanage_t)
> 
> 
> This shouldn't be necessary as current systems have the module store in
> /var/lib/selinux, which is all semanage_store_t.
> 

Thanks for pointing this out.  It turns out that RHEL 7.3 (and 7.4) are still defaulting the store-root to /etc/selinux hence the denial I was seeing.  They make a reference to this in the 7.3 release notes, "Chapter 15: Security" (page 83) of the RHEL 7.3 changelog [1] mentions the update of selinux userspace and the /var/lib/selinux vs /etc/selinux issue. Supposedly RedHat bugzilla #1297815 contains the reason they default to /etc/selinux, but it looks like it isn't a publicly viewable bug.

I have changed the store-root in /etc/selinux/semange.conf to point to /var/lib/selinux on the system I am working on and it seems to be functioning correctly (with minimal testing so far).  If for some reason I find problems I will resubmit with an 'ifdef(distro_redhat)' around that interface call.

[1]
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/pdf/7.3_Release_Notes/Red_Hat_Enterprise_Linux-7-7.3_Release_Notes-en-US.pdf

> --
> Chris PeBenito


More information about the refpolicy mailing list