From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 13 Nov 2013 09:19:25 -0500
Subject: [refpolicy] [PATCH 1/1] Allow semodule to create symlink in
	semanage_store_t
In-Reply-To: <20131104211513.GA2235@siphos.be>
References: <20131104211513.GA2235@siphos.be>
Message-ID: <52838A6D.4010908@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 11/04/13 16:15, Sven Vermeulen wrote:
> With new userspace, trying to build a SELinux policy (and load it)
> fails:
> 
> ~# semodule -B
> libsemanage.semanage_install_active: Unable to create sybolic link from
> /etc/selinux/mcs/modules/active/policy.kern to
> /etc/selinux/mcs/policy/policy.28 error code 0. (Permission denied).
> 
> AVC shows a denial for the semodule command, running as semanage_t,
> trying to create a lnk_file in semanage_module_t.
> ---
>  policy/modules/system/selinuxutil.if | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
> index 3822072..e5ff626 100644
> --- a/policy/modules/system/selinuxutil.if
> +++ b/policy/modules/system/selinuxutil.if
> @@ -1043,6 +1043,7 @@ interface(`seutil_manage_module_store',`
>  	files_search_etc($1)
>  	manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
>  	manage_files_pattern($1, semanage_store_t, semanage_store_t)
> +	manage_lnk_files_pattern($1, semanage_store_t, semanage_store_t)
>  	filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules")
>  ')

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com