From: guido@trentalancia.com (Guido Trentalancia)
Date: Sat, 19 Mar 2011 16:45:06 +0100
Subject: [refpolicy] restorecon needs to read bin_t symlinks
Message-ID: <1300549506.3034.24.camel@tesla.lan>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hello !

I have recently started to experience AVC denials due to restorecon
trying to read bin_t symbolic links. It is not entirely clear to me what
is triggering this, since everything has been working fine for a long
time.

In any case, I had to apply the following patch on my system (and I am
still asking myself why not files_read_all_symlinks then ?):

diff -pruN refpolicy-git-17032011/policy/modules/kernel/files.if refpolicy-git-17032011-restorecon/policy/modules/kernel/files.if
--- refpolicy-git-17032011/policy/modules/kernel/files.if	2011-02-22 18:50:44.460551925 +0100
+++ refpolicy-git-17032011-restorecon/policy/modules/kernel/files.if	2011-03-19 16:21:01.701636861 +0100
@@ -4425,7 +4425,28 @@ interface(`files_relabelfrom_usr_files',
 
 ########################################
 ## <summary>
-##	Read symbolic links in /usr.
+##	Read symbolic links with type
+##	bin_t (usually located in /bin,
+##	/sbin, /usr/bin and /usr/sbin).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_read_bin_symlinks',`
+	gen_require(`
+		type bin_t;
+	')
+
+	read_lnk_files_pattern($1, bin_t, bin_t)
+')
+
+########################################
+## <summary>
+##	Read symbolic links with type
+##	usr_t (usually located in /usr).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
diff -pruN refpolicy-git-17032011/policy/modules/system/selinuxutil.te refpolicy-git-17032011-restorecon/policy/modules/system/selinuxutil.te
--- refpolicy-git-17032011/policy/modules/system/selinuxutil.te	2011-01-17 19:36:10.814131755 +0100
+++ refpolicy-git-17032011-restorecon/policy/modules/system/selinuxutil.te	2011-03-19 16:16:13.198810817 +0100
@@ -527,6 +527,7 @@ files_read_etc_runtime_files(setfiles_t)
 files_read_etc_files(setfiles_t)
 files_list_all(setfiles_t)
 files_relabel_all_files(setfiles_t)
+files_read_bin_symlinks(setfiles_t)
 files_read_usr_symlinks(setfiles_t)
 
 fs_getattr_xattr_fs(setfiles_t)