From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Tue, 14 Jan 2014 08:51:13 -0500 Subject: [refpolicy] seutil_manage_module_store interface missing filetrans In-Reply-To: <20140114115712.6127e287@soldur.bigon.be> References: <20140114115712.6127e287@soldur.bigon.be> Message-ID: <52D540D1.8070105@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 01/14/14 05:57, Laurent Bigonville wrote: > Hi, > > I've noticed several days ago that semodules operations where failing > in enforcing mode. When adding a module: > > libsemanage.semanage_make_sandbox: Could not copy files to sandbox /etc/selinux/default/modules/tmp. (Permission denied). > > Russel has proposed a patch to fix this this (side note:Russel, I think this > should go in the seutil_manage_module_store interface instead of > the .te): > > filetrans_pattern(semanage_t, selinux_config_t, semanage_store_t, dir, "tmp") > > Looking at the Fedora policy, they also have: > > filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "active") > filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "previous") > > So I'll propose a patch to add these 3 rules. > > But seutil_manage_module_store also contains: > > filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules") > > This seems bogus to me if I'm looking at the .fc, > the /etc/selinux/default/modules directory is labeled as > selinux_config_t and not semanage_store_t. > And /etc/selinux/default/modules/active/modules will inherit the proper > context from the parent. > > So I'm not really sure this to which "modules" directory this was > referring to (I guess the toplevel one), and if the fcontext should be > modified or this rule be dropped? It should all be simplified, as everything under /etc/selinux/*/modules should be semanage_store_t, except for the two .LOCK files. Then we can probably drop the filetrans out of seutil_manage_module_store(). My guess is that rule found its way there due to seutil_manage_module_store(semanage_t). On further consideration, I think only semanage_t should be creating that directory[1], so it should be the only domain with that filetrans. [1] package managers too, but they should work correclty since they matchpathcon/setfscreate on the stuff they install -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com