From: domg472@gmail.com (Dominick Grift)
Date: Sat, 19 Mar 2011 16:51:56 +0100
Subject: [refpolicy] restorecon needs to read bin_t symlinks
In-Reply-To: <1300549506.3034.24.camel@tesla.lan>
References: <1300549506.3034.24.camel@tesla.lan>
Message-ID: <4D84D11C.5090909@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/19/2011 04:45 PM, Guido Trentalancia wrote:
> Hello !
> 
> I have recently started to experience AVC denials due to restorecon
> trying to read bin_t symbolic links. It is not entirely clear to me what
> is triggering this, since everything has been working fine for a long
> time.
> 
> In any case, I had to apply the following patch on my system (and I am
> still asking myself why not files_read_all_symlinks then ?):
> 
> diff -pruN refpolicy-git-17032011/policy/modules/kernel/files.if refpolicy-git-17032011-restorecon/policy/modules/kernel/files.if
> --- refpolicy-git-17032011/policy/modules/kernel/files.if	2011-02-22 18:50:44.460551925 +0100
> +++ refpolicy-git-17032011-restorecon/policy/modules/kernel/files.if	2011-03-19 16:21:01.701636861 +0100
> @@ -4425,7 +4425,28 @@ interface(`files_relabelfrom_usr_files',
>  
>  ########################################
>  ## <summary>
> -##	Read symbolic links in /usr.
> +##	Read symbolic links with type
> +##	bin_t (usually located in /bin,
> +##	/sbin, /usr/bin and /usr/sbin).
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`files_read_bin_symlinks',`

This interface is already available in corecommands module:

corecmd_read_bin_symlinks()

can you enclose the AVC denial that you were seeing?

It is probably this:

ls -alZ /sbin/restorecon
lrwxrwxrwx. root root system_u:object_r:bin_t:s0       /sbin/restorecon
- -> setfiles

> +	gen_require(`
> +		type bin_t;
> +	')
> +
> +	read_lnk_files_pattern($1, bin_t, bin_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Read symbolic links with type
> +##	usr_t (usually located in /usr).
>  ## </summary>
>  ## <param name="domain">
>  ##	<summary>
> diff -pruN refpolicy-git-17032011/policy/modules/system/selinuxutil.te refpolicy-git-17032011-restorecon/policy/modules/system/selinuxutil.te
> --- refpolicy-git-17032011/policy/modules/system/selinuxutil.te	2011-01-17 19:36:10.814131755 +0100
> +++ refpolicy-git-17032011-restorecon/policy/modules/system/selinuxutil.te	2011-03-19 16:16:13.198810817 +0100
> @@ -527,6 +527,7 @@ files_read_etc_runtime_files(setfiles_t)
>  files_read_etc_files(setfiles_t)
>  files_list_all(setfiles_t)
>  files_relabel_all_files(setfiles_t)
> +files_read_bin_symlinks(setfiles_t)
>  files_read_usr_symlinks(setfiles_t)
>  
>  fs_getattr_xattr_fs(setfiles_t)
> 
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2E0RwACgkQMlxVo39jgT/bewCeIx7fIXi7bVEc5sf3sDcGzgVf
9VIAnR+VaqetXeP4kLIFNPJ+GjmMFGqG
=g4zw
-----END PGP SIGNATURE-----