From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Mon, 4 Nov 2013 22:15:13 +0100
Subject: [refpolicy] [PATCH 1/1] Allow semodule to create symlink in
	semanage_store_t
Message-ID: <20131104211513.GA2235@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

With new userspace, trying to build a SELinux policy (and load it)
fails:

~# semodule -B
libsemanage.semanage_install_active: Unable to create sybolic link from
/etc/selinux/mcs/modules/active/policy.kern to
/etc/selinux/mcs/policy/policy.28 error code 0. (Permission denied).

AVC shows a denial for the semodule command, running as semanage_t,
trying to create a lnk_file in semanage_module_t.
---
 policy/modules/system/selinuxutil.if | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index 3822072..e5ff626 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -1043,6 +1043,7 @@ interface(`seutil_manage_module_store',`
 	files_search_etc($1)
 	manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
 	manage_files_pattern($1, semanage_store_t, semanage_store_t)
+	manage_lnk_files_pattern($1, semanage_store_t, semanage_store_t)
 	filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules")
 ')
 
-- 
1.8.1.5