From: Laurent Bigonville <[email protected]>
Move the filetrans_patern out of the seutil_manage_module_store
interface as only semanage_t should be creating this directory
---
policy/modules/system/selinuxutil.fc | 2 +-
policy/modules/system/selinuxutil.if | 1 -
policy/modules/system/selinuxutil.te | 2 ++
3 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
index d43f3b1..ec19d63 100644
--- a/policy/modules/system/selinuxutil.fc
+++ b/policy/modules/system/selinuxutil.fc
@@ -9,7 +9,7 @@
/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,mls_systemhigh)
/etc/selinux/([^/]*/)?setrans\.conf -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
-/etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/selinux/([^/]*/)?modules(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
/etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
/etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index e5ff626..bee06f4 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -1044,7 +1044,6 @@ interface(`seutil_manage_module_store',`
manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
manage_files_pattern($1, semanage_store_t, semanage_store_t)
manage_lnk_files_pattern($1, semanage_store_t, semanage_store_t)
- filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules")
')
#######################################
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 551ac96..cb5610f 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -448,6 +448,8 @@ allow semanage_t self:fifo_file rw_fifo_file_perms;
allow semanage_t policy_config_t:file rw_file_perms;
+filetrans_pattern(semanage_t, selinux_config_t, semanage_store_t, dir, "modules")
+
allow semanage_t semanage_tmp_t:dir manage_dir_perms;
allow semanage_t semanage_tmp_t:file manage_file_perms;
files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
--
1.8.5.2
On 1/15/2014 1:02 PM, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
>
> Move the filetrans_patern out of the seutil_manage_module_store
> interface as only semanage_t should be creating this directory
> ---
> policy/modules/system/selinuxutil.fc | 2 +-
> policy/modules/system/selinuxutil.if | 1 -
> policy/modules/system/selinuxutil.te | 2 ++
> 3 files changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
> index d43f3b1..ec19d63 100644
> --- a/policy/modules/system/selinuxutil.fc
> +++ b/policy/modules/system/selinuxutil.fc
> @@ -9,7 +9,7 @@
> /etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,mls_systemhigh)
> /etc/selinux/([^/]*/)?setrans\.conf -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
> /etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
> -/etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
> +/etc/selinux/([^/]*/)?modules(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
> /etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
> /etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
> /etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
> diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
> index e5ff626..bee06f4 100644
> --- a/policy/modules/system/selinuxutil.if
> +++ b/policy/modules/system/selinuxutil.if
> @@ -1044,7 +1044,6 @@ interface(`seutil_manage_module_store',`
> manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
> manage_files_pattern($1, semanage_store_t, semanage_store_t)
> manage_lnk_files_pattern($1, semanage_store_t, semanage_store_t)
> - filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules")
> ')
>
> #######################################
> diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
> index 551ac96..cb5610f 100644
> --- a/policy/modules/system/selinuxutil.te
> +++ b/policy/modules/system/selinuxutil.te
> @@ -448,6 +448,8 @@ allow semanage_t self:fifo_file rw_fifo_file_perms;
>
> allow semanage_t policy_config_t:file rw_file_perms;
>
> +filetrans_pattern(semanage_t, selinux_config_t, semanage_store_t, dir, "modules")
> +
> allow semanage_t semanage_tmp_t:dir manage_dir_perms;
> allow semanage_t semanage_tmp_t:file manage_file_perms;
> files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com