With new userspace, trying to build a SELinux policy (and load it)
fails:
~# semodule -B
libsemanage.semanage_install_active: Unable to create sybolic link from
/etc/selinux/mcs/modules/active/policy.kern to
/etc/selinux/mcs/policy/policy.28 error code 0. (Permission denied).
AVC shows a denial for the semodule command, running as semanage_t,
trying to create a lnk_file in semanage_module_t.
---
policy/modules/system/selinuxutil.if | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index 3822072..e5ff626 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -1043,6 +1043,7 @@ interface(`seutil_manage_module_store',`
files_search_etc($1)
manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
manage_files_pattern($1, semanage_store_t, semanage_store_t)
+ manage_lnk_files_pattern($1, semanage_store_t, semanage_store_t)
filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules")
')
--
1.8.1.5
Dne 4.11.2013 22:15, Sven Vermeulen napsal(a):
> With new userspace, trying to build a SELinux policy (and load it)
> fails:
>
> ~# semodule -B
> libsemanage.semanage_install_active: Unable to create sybolic link from
> /etc/selinux/mcs/modules/active/policy.kern to
> /etc/selinux/mcs/policy/policy.28 error code 0. (Permission denied).
>
> AVC shows a denial for the semodule command, running as semanage_t,
> trying to create a lnk_file in semanage_module_t.
> ---
> policy/modules/system/selinuxutil.if | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
> index 3822072..e5ff626 100644
> --- a/policy/modules/system/selinuxutil.if
> +++ b/policy/modules/system/selinuxutil.if
> @@ -1043,6 +1043,7 @@ interface(`seutil_manage_module_store',`
> files_search_etc($1)
> manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
> manage_files_pattern($1, semanage_store_t, semanage_store_t)
> + manage_lnk_files_pattern($1, semanage_store_t, semanage_store_t)
> filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules")
> ')
>
Yes, it needs to be added. We have it in Fedora.
On 11/04/13 16:15, Sven Vermeulen wrote:
> With new userspace, trying to build a SELinux policy (and load it)
> fails:
>
> ~# semodule -B
> libsemanage.semanage_install_active: Unable to create sybolic link from
> /etc/selinux/mcs/modules/active/policy.kern to
> /etc/selinux/mcs/policy/policy.28 error code 0. (Permission denied).
>
> AVC shows a denial for the semodule command, running as semanage_t,
> trying to create a lnk_file in semanage_module_t.
> ---
> policy/modules/system/selinuxutil.if | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
> index 3822072..e5ff626 100644
> --- a/policy/modules/system/selinuxutil.if
> +++ b/policy/modules/system/selinuxutil.if
> @@ -1043,6 +1043,7 @@ interface(`seutil_manage_module_store',`
> files_search_etc($1)
> manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
> manage_files_pattern($1, semanage_store_t, semanage_store_t)
> + manage_lnk_files_pattern($1, semanage_store_t, semanage_store_t)
> filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules")
> ')
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com