LinuxLists.cc - [refpolicy] [PATCH] Update policy for selinux userspace moving the policy store to /var/lib/selinux

2014-12-02 16:32:44

Subject: [refpolicy] [PATCH] Update policy for selinux userspace moving the policy store to /var/lib/selinux

This keeps /var/lib/selinux labeled as semanage_var_lib_t, but all
directories inside it are now labeled semanage_store_t, except for lock
files.

Signed-off-by: Steve Lawrence <[email protected]>
---
policy/modules/system/selinuxutil.fc | 6 +++++-
policy/modules/system/selinuxutil.if | 3 ++-
policy/modules/system/selinuxutil.te | 1 +
3 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
index ec19d63..8f1eb3c 100644
--- a/policy/modules/system/selinuxutil.fc
+++ b/policy/modules/system/selinuxutil.fc
@@ -41,11 +41,15 @@
/usr/sbin/setsebool -- gen_context(system_u:object_r:semanage_exec_t,s0)
/usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0)
/usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0)
+/usr/libexec/selinux/semanage_migrate_store -- gen_context(system_u:object_r:semanage_exec_t,s0)

#
# /var/lib
#
-/var/lib/selinux(/.*)? gen_context(system_u:object_r:semanage_var_lib_t,s0)
+/var/lib/selinux -d gen_context(system_u:object_r:semanage_var_lib_t,s0)
+/var/lib/selinux/.* gen_context(system_u:object_r:semanage_store_t,s0)
+/var/lib/selinux/[^/]+/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
+/var/lib/selinux/[^/]+/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)

#
# /var/run
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index bee06f4..ae280bd 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -1037,11 +1037,12 @@ interface(`seutil_run_semanage',`
#
interface(`seutil_manage_module_store',`
gen_require(`
- type selinux_config_t, semanage_store_t;
+ type selinux_config_t, semanage_store_t, semanage_var_lib_t;
')

files_search_etc($1)
manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
+ manage_dirs_pattern($1, semanage_var_lib_t, semanage_store_t)
manage_files_pattern($1, semanage_store_t, semanage_store_t)
manage_lnk_files_pattern($1, semanage_store_t, semanage_store_t)
')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index c322a6f..a73874c 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -454,6 +454,7 @@ allow semanage_t semanage_tmp_t:dir manage_dir_perms;
allow semanage_t semanage_tmp_t:file manage_file_perms;
files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })

+filetrans_pattern(semanage_t, semanage_var_lib_t, semanage_store_t, dir)
manage_dirs_pattern(semanage_t, semanage_var_lib_t, semanage_var_lib_t)
manage_files_pattern(semanage_t, semanage_var_lib_t, semanage_var_lib_t)

--
1.9.3

2014-12-03 13:12:21

by cpebenito

[permalink] [raw]

Subject: [refpolicy] [PATCH] Update policy for selinux userspace moving the policy store to /var/lib/selinux

On 12/2/2014 11:32 AM, Steve Lawrence wrote:
> This keeps /var/lib/selinux labeled as semanage_var_lib_t, but all
> directories inside it are now labeled semanage_store_t, except for lock
> files.

Is there anything other than module stores in /var/lib/selinux? I don't
see anything else on my systems. If so, we should drop
semanage_var_lib_t (make it an alias of semanage_store_t for compat) and
make everything under /var/lib/selinux semanage_store_t (except the
locks of course).

> Signed-off-by: Steve Lawrence <[email protected]>
> ---
> policy/modules/system/selinuxutil.fc | 6 +++++-
> policy/modules/system/selinuxutil.if | 3 ++-
> policy/modules/system/selinuxutil.te | 1 +
> 3 files changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
> index ec19d63..8f1eb3c 100644
> --- a/policy/modules/system/selinuxutil.fc
> +++ b/policy/modules/system/selinuxutil.fc
> @@ -41,11 +41,15 @@
> /usr/sbin/setsebool -- gen_context(system_u:object_r:semanage_exec_t,s0)
> /usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0)
> /usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0)
> +/usr/libexec/selinux/semanage_migrate_store -- gen_context(system_u:object_r:semanage_exec_t,s0)
>
> #
> # /var/lib
> #
> -/var/lib/selinux(/.*)? gen_context(system_u:object_r:semanage_var_lib_t,s0)
> +/var/lib/selinux -d gen_context(system_u:object_r:semanage_var_lib_t,s0)
> +/var/lib/selinux/.* gen_context(system_u:object_r:semanage_store_t,s0)
> +/var/lib/selinux/[^/]+/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
> +/var/lib/selinux/[^/]+/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
>
> #
> # /var/run
> diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
> index bee06f4..ae280bd 100644
> --- a/policy/modules/system/selinuxutil.if
> +++ b/policy/modules/system/selinuxutil.if
> @@ -1037,11 +1037,12 @@ interface(`seutil_run_semanage',`
> #
> interface(`seutil_manage_module_store',`
> gen_require(`
> - type selinux_config_t, semanage_store_t;
> + type selinux_config_t, semanage_store_t, semanage_var_lib_t;
> ')
>
> files_search_etc($1)
> manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
> + manage_dirs_pattern($1, semanage_var_lib_t, semanage_store_t)
> manage_files_pattern($1, semanage_store_t, semanage_store_t)
> manage_lnk_files_pattern($1, semanage_store_t, semanage_store_t)
> ')
> diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
> index c322a6f..a73874c 100644
> --- a/policy/modules/system/selinuxutil.te
> +++ b/policy/modules/system/selinuxutil.te
> @@ -454,6 +454,7 @@ allow semanage_t semanage_tmp_t:dir manage_dir_perms;
> allow semanage_t semanage_tmp_t:file manage_file_perms;
> files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
>
> +filetrans_pattern(semanage_t, semanage_var_lib_t, semanage_store_t, dir)
> manage_dirs_pattern(semanage_t, semanage_var_lib_t, semanage_var_lib_t)
> manage_files_pattern(semanage_t, semanage_var_lib_t, semanage_var_lib_t)
>
>

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2014-12-03 13:33:53

by Lawrence, Stephen

[permalink] [raw]

Subject: [refpolicy] [PATCH] Update policy for selinux userspace moving the policy store to /var/lib/selinux

On 12/03/2014 08:12 AM, Christopher J. PeBenito wrote:
> On 12/2/2014 11:32 AM, Steve Lawrence wrote:
>> This keeps /var/lib/selinux labeled as semanage_var_lib_t, but all
>> directories inside it are now labeled semanage_store_t, except for lock
>> files.
>
> Is there anything other than module stores in /var/lib/selinux? I don't
> see anything else on my systems. If so, we should drop
> semanage_var_lib_t (make it an alias of semanage_store_t for compat) and
> make everything under /var/lib/selinux semanage_store_t (except the
> locks of course).
>

The current selinux userspace only uses it as a temporary location to
build permissive modules for the 'semanage permissive' command. However,
the next userspace release changes that so that only the module store
lives in /var/lib/selinux. Permissive modules are handled differently.
I'll send an updated patch with your recommendations.

>> Signed-off-by: Steve Lawrence <[email protected]>
>> ---
>> policy/modules/system/selinuxutil.fc | 6 +++++-
>> policy/modules/system/selinuxutil.if | 3 ++-
>> policy/modules/system/selinuxutil.te | 1 +
>> 3 files changed, 8 insertions(+), 2 deletions(-)
>>
>> diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
>> index ec19d63..8f1eb3c 100644
>> --- a/policy/modules/system/selinuxutil.fc
>> +++ b/policy/modules/system/selinuxutil.fc
>> @@ -41,11 +41,15 @@
>> /usr/sbin/setsebool -- gen_context(system_u:object_r:semanage_exec_t,s0)
>> /usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0)
>> /usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0)
>> +/usr/libexec/selinux/semanage_migrate_store -- gen_context(system_u:object_r:semanage_exec_t,s0)
>>
>> #
>> # /var/lib
>> #
>> -/var/lib/selinux(/.*)? gen_context(system_u:object_r:semanage_var_lib_t,s0)
>> +/var/lib/selinux -d gen_context(system_u:object_r:semanage_var_lib_t,s0)
>> +/var/lib/selinux/.* gen_context(system_u:object_r:semanage_store_t,s0)
>> +/var/lib/selinux/[^/]+/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
>> +/var/lib/selinux/[^/]+/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
>>
>> #
>> # /var/run
>> diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
>> index bee06f4..ae280bd 100644
>> --- a/policy/modules/system/selinuxutil.if
>> +++ b/policy/modules/system/selinuxutil.if
>> @@ -1037,11 +1037,12 @@ interface(`seutil_run_semanage',`
>> #
>> interface(`seutil_manage_module_store',`
>> gen_require(`
>> - type selinux_config_t, semanage_store_t;
>> + type selinux_config_t, semanage_store_t, semanage_var_lib_t;
>> ')
>>
>> files_search_etc($1)
>> manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
>> + manage_dirs_pattern($1, semanage_var_lib_t, semanage_store_t)
>> manage_files_pattern($1, semanage_store_t, semanage_store_t)
>> manage_lnk_files_pattern($1, semanage_store_t, semanage_store_t)
>> ')
>> diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
>> index c322a6f..a73874c 100644
>> --- a/policy/modules/system/selinuxutil.te
>> +++ b/policy/modules/system/selinuxutil.te
>> @@ -454,6 +454,7 @@ allow semanage_t semanage_tmp_t:dir manage_dir_perms;
>> allow semanage_t semanage_tmp_t:file manage_file_perms;
>> files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
>>
>> +filetrans_pattern(semanage_t, semanage_var_lib_t, semanage_store_t, dir)
>> manage_dirs_pattern(semanage_t, semanage_var_lib_t, semanage_var_lib_t)
>> manage_files_pattern(semanage_t, semanage_var_lib_t, semanage_var_lib_t)
>>
>>
>
>