From: mgrepl@redhat.com (Miroslav Grepl)
Date: Tue, 12 Nov 2013 00:14:56 +0100
Subject: [refpolicy] [PATCH 1/1] Allow semodule to create symlink in
	semanage_store_t
In-Reply-To: <20131104211513.GA2235@siphos.be>
References: <20131104211513.GA2235@siphos.be>
Message-ID: <528164F0.3080604@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Dne 4.11.2013 22:15, Sven Vermeulen napsal(a):
> With new userspace, trying to build a SELinux policy (and load it)
> fails:
>
> ~# semodule -B
> libsemanage.semanage_install_active: Unable to create sybolic link from
> /etc/selinux/mcs/modules/active/policy.kern to
> /etc/selinux/mcs/policy/policy.28 error code 0. (Permission denied).
>
> AVC shows a denial for the semodule command, running as semanage_t,
> trying to create a lnk_file in semanage_module_t.
> ---
>   policy/modules/system/selinuxutil.if | 1 +
>   1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
> index 3822072..e5ff626 100644
> --- a/policy/modules/system/selinuxutil.if
> +++ b/policy/modules/system/selinuxutil.if
> @@ -1043,6 +1043,7 @@ interface(`seutil_manage_module_store',`
>   	files_search_etc($1)
>   	manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
>   	manage_files_pattern($1, semanage_store_t, semanage_store_t)
> +	manage_lnk_files_pattern($1, semanage_store_t, semanage_store_t)
>   	filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules")
>   ')
>   
Yes, it needs to be added. We have it in Fedora.