From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Thu, 7 Nov 2013 09:07:42 -0500
Subject: [refpolicy] [RFC] Need for read_policy to use audit2allow?
In-Reply-To: <20131104214209.GA4756@siphos.be>
References: <20131104214209.GA4756@siphos.be>
Message-ID: <527B9EAE.1010902@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 11/04/13 16:42, Sven Vermeulen wrote:
> Hi guys
> 
> I'm testing out the new userspace release and am now seemingly in need for
> the read_policy permission (security class) when I want to use audit2allow.
> 
> The audit2allow command doesn't give any errors, it just doesn't display
> anything beyond a module header. In the AVC logs I have something like this:
> 
> type=AVC msg=audit(1565426456.566:822): avc: denied { read_policy } for
> pid=2660 comm="audit2allow" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:security_t:s0 tclass=security
> 
> If I allow this (here for sysadm_t) through selinux_read_policy(sysadm_t)
> then audit2allow functions properly again.
> 
> With the previous userspace release I do not seem to need this, nor is
> audit2allow running in any domain other than the one called by. 
> 
> Is this expected behavior (considering it is a security class, I thought I
> better ask)? 

The permission means it's looking at /sys/fs/selinux/policy.  I assume the behavior has been changed to look at that instead of looking at the policy.2x on disk, so it knows for certain its looking at the current policy.  However, I haven't had a chance to dig through all of the Fedora patches that have been committed to the userspace tools yet, to confirm.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com