Hi,
I've noticed several days ago that semodules operations where failing
in enforcing mode. When adding a module:
libsemanage.semanage_make_sandbox: Could not copy files to sandbox /etc/selinux/default/modules/tmp. (Permission denied).
Russel has proposed a patch to fix this this (side note:Russel, I think this
should go in the seutil_manage_module_store interface instead of
the .te):
filetrans_pattern(semanage_t, selinux_config_t, semanage_store_t, dir, "tmp")
Looking at the Fedora policy, they also have:
filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "active")
filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "previous")
So I'll propose a patch to add these 3 rules.
But seutil_manage_module_store also contains:
filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules")
This seems bogus to me if I'm looking at the .fc,
the /etc/selinux/default/modules directory is labeled as
selinux_config_t and not semanage_store_t.
And /etc/selinux/default/modules/active/modules will inherit the proper
context from the parent.
So I'm not really sure this to which "modules" directory this was
referring to (I guess the toplevel one), and if the fcontext should be
modified or this rule be dropped?
Cheers,
Laurent Bigonville
On 01/14/14 05:57, Laurent Bigonville wrote:
> Hi,
>
> I've noticed several days ago that semodules operations where failing
> in enforcing mode. When adding a module:
>
> libsemanage.semanage_make_sandbox: Could not copy files to sandbox /etc/selinux/default/modules/tmp. (Permission denied).
>
> Russel has proposed a patch to fix this this (side note:Russel, I think this
> should go in the seutil_manage_module_store interface instead of
> the .te):
>
> filetrans_pattern(semanage_t, selinux_config_t, semanage_store_t, dir, "tmp")
>
> Looking at the Fedora policy, they also have:
>
> filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "active")
> filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "previous")
>
> So I'll propose a patch to add these 3 rules.
>
> But seutil_manage_module_store also contains:
>
> filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules")
>
> This seems bogus to me if I'm looking at the .fc,
> the /etc/selinux/default/modules directory is labeled as
> selinux_config_t and not semanage_store_t.
> And /etc/selinux/default/modules/active/modules will inherit the proper
> context from the parent.
>
> So I'm not really sure this to which "modules" directory this was
> referring to (I guess the toplevel one), and if the fcontext should be
> modified or this rule be dropped?
It should all be simplified, as everything under /etc/selinux/*/modules should be semanage_store_t, except for the two .LOCK files. Then we can probably drop the filetrans out of seutil_manage_module_store(). My guess is that rule found its way there due to seutil_manage_module_store(semanage_t). On further consideration, I think only semanage_t should be creating that directory[1], so it should be the only domain with that filetrans.
[1] package managers too, but they should work correclty since they matchpathcon/setfscreate on the stuff they install
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
Le Tue, 14 Jan 2014 08:51:13 -0500,
"Christopher J. PeBenito" <[email protected]> a ?crit :
> On 01/14/14 05:57, Laurent Bigonville wrote:
> > Hi,
> >
> > I've noticed several days ago that semodules operations where
> > failing in enforcing mode. When adding a module:
> >
> > libsemanage.semanage_make_sandbox: Could not copy files to
> > sandbox /etc/selinux/default/modules/tmp. (Permission denied).
> >
> > Russel has proposed a patch to fix this this (side note:Russel, I
> > think this should go in the seutil_manage_module_store interface
> > instead of the .te):
> >
> > filetrans_pattern(semanage_t, selinux_config_t, semanage_store_t,
> > dir, "tmp")
> >
> > Looking at the Fedora policy, they also have:
> >
> > filetrans_pattern($1, selinux_config_t, semanage_store_t, dir,
> > "active") filetrans_pattern($1, selinux_config_t, semanage_store_t,
> > dir, "previous")
> >
> > So I'll propose a patch to add these 3 rules.
> >
> > But seutil_manage_module_store also contains:
> >
> > filetrans_pattern($1, selinux_config_t, semanage_store_t, dir,
> > "modules")
> >
> > This seems bogus to me if I'm looking at the .fc,
> > the /etc/selinux/default/modules directory is labeled as
> > selinux_config_t and not semanage_store_t.
> > And /etc/selinux/default/modules/active/modules will inherit the
> > proper context from the parent.
> >
> > So I'm not really sure this to which "modules" directory this was
> > referring to (I guess the toplevel one), and if the fcontext should
> > be modified or this rule be dropped?
>
> It should all be simplified, as everything
> under /etc/selinux/*/modules should be semanage_store_t, except for
> the two .LOCK files. Then we can probably drop the filetrans out of
> seutil_manage_module_store(). My guess is that rule found its way
> there due to seutil_manage_module_store(semanage_t). On further
> consideration, I think only semanage_t should be creating that
> directory[1], so it should be the only domain with that filetrans.
So something like:
-/etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/selinux/([^/]*/)?modules(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
And the filetrans currently in the policy (for "modules" directory) can
stay?
On Tue Jan 14 08:59:58 2014, Laurent Bigonville wrote:
> Le Tue, 14 Jan 2014 08:51:13 -0500,
> "Christopher J. PeBenito" <[email protected]> a ?crit :
>
>> On 01/14/14 05:57, Laurent Bigonville wrote:
>>> Hi,
>>>
>>> I've noticed several days ago that semodules operations where
>>> failing in enforcing mode. When adding a module:
>>>
>>> libsemanage.semanage_make_sandbox: Could not copy files to
>>> sandbox /etc/selinux/default/modules/tmp. (Permission denied).
>>>
>>> Russel has proposed a patch to fix this this (side note:Russel, I
>>> think this should go in the seutil_manage_module_store interface
>>> instead of the .te):
>>>
>>> filetrans_pattern(semanage_t, selinux_config_t, semanage_store_t,
>>> dir, "tmp")
>>>
>>> Looking at the Fedora policy, they also have:
>>>
>>> filetrans_pattern($1, selinux_config_t, semanage_store_t, dir,
>>> "active") filetrans_pattern($1, selinux_config_t, semanage_store_t,
>>> dir, "previous")
>>>
>>> So I'll propose a patch to add these 3 rules.
>>>
>>> But seutil_manage_module_store also contains:
>>>
>>> filetrans_pattern($1, selinux_config_t, semanage_store_t, dir,
>>> "modules")
>>>
>>> This seems bogus to me if I'm looking at the .fc,
>>> the /etc/selinux/default/modules directory is labeled as
>>> selinux_config_t and not semanage_store_t.
>>> And /etc/selinux/default/modules/active/modules will inherit the
>>> proper context from the parent.
>>>
>>> So I'm not really sure this to which "modules" directory this was
>>> referring to (I guess the toplevel one), and if the fcontext should
>>> be modified or this rule be dropped?
>>
>> It should all be simplified, as everything
>> under /etc/selinux/*/modules should be semanage_store_t, except for
>> the two .LOCK files. Then we can probably drop the filetrans out of
>> seutil_manage_module_store(). My guess is that rule found its way
>> there due to seutil_manage_module_store(semanage_t). On further
>> consideration, I think only semanage_t should be creating that
>> directory[1], so it should be the only domain with that filetrans.
>
> So something like:
>
> -/etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
> +/etc/selinux/([^/]*/)?modules(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
>
> And the filetrans currently in the policy (for "modules" directory) can
> stay?
Correct on the fc, but I'd move the filetrans out of the interface back
into the .te, for semanage_t.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com