From: bigon@debian.org (Laurent Bigonville)
Date: Tue, 14 Jan 2014 11:57:12 +0100
Subject: [refpolicy] seutil_manage_module_store interface missing filetrans
Message-ID: <20140114115712.6127e287@soldur.bigon.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hi,

I've noticed several days ago that semodules operations where failing
in enforcing mode. When adding a module:

libsemanage.semanage_make_sandbox: Could not copy files to sandbox /etc/selinux/default/modules/tmp. (Permission denied).

Russel has proposed a patch to fix this this (side note:Russel, I think this
should go in the seutil_manage_module_store interface instead of
the .te):

filetrans_pattern(semanage_t, selinux_config_t, semanage_store_t, dir, "tmp")

Looking at the Fedora policy, they also have:

filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "active")
filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "previous")

So I'll propose a patch to add these 3 rules.

But seutil_manage_module_store also contains:

filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules")

This seems bogus to me if I'm looking at the .fc,
the /etc/selinux/default/modules directory is labeled as
selinux_config_t and not semanage_store_t.
And /etc/selinux/default/modules/active/modules will inherit the proper
context from the parent.

So I'm not really sure this to which "modules" directory this was
referring to (I guess the toplevel one), and if the fcontext should be
modified or this rule be dropped?

Cheers,

Laurent Bigonville