From: bigon@debian.org (Laurent Bigonville) Date: Tue, 14 Jan 2014 14:59:58 +0100 Subject: [refpolicy] seutil_manage_module_store interface missing filetrans In-Reply-To: <52D540D1.8070105@tresys.com> References: <20140114115712.6127e287@soldur.bigon.be> <52D540D1.8070105@tresys.com> Message-ID: <20140114145958.0cbc3275@soldur.bigon.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Le Tue, 14 Jan 2014 08:51:13 -0500, "Christopher J. PeBenito" a ?crit : > On 01/14/14 05:57, Laurent Bigonville wrote: > > Hi, > > > > I've noticed several days ago that semodules operations where > > failing in enforcing mode. When adding a module: > > > > libsemanage.semanage_make_sandbox: Could not copy files to > > sandbox /etc/selinux/default/modules/tmp. (Permission denied). > > > > Russel has proposed a patch to fix this this (side note:Russel, I > > think this should go in the seutil_manage_module_store interface > > instead of the .te): > > > > filetrans_pattern(semanage_t, selinux_config_t, semanage_store_t, > > dir, "tmp") > > > > Looking at the Fedora policy, they also have: > > > > filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, > > "active") filetrans_pattern($1, selinux_config_t, semanage_store_t, > > dir, "previous") > > > > So I'll propose a patch to add these 3 rules. > > > > But seutil_manage_module_store also contains: > > > > filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, > > "modules") > > > > This seems bogus to me if I'm looking at the .fc, > > the /etc/selinux/default/modules directory is labeled as > > selinux_config_t and not semanage_store_t. > > And /etc/selinux/default/modules/active/modules will inherit the > > proper context from the parent. > > > > So I'm not really sure this to which "modules" directory this was > > referring to (I guess the toplevel one), and if the fcontext should > > be modified or this rule be dropped? > > It should all be simplified, as everything > under /etc/selinux/*/modules should be semanage_store_t, except for > the two .LOCK files. Then we can probably drop the filetrans out of > seutil_manage_module_store(). My guess is that rule found its way > there due to seutil_manage_module_store(semanage_t). On further > consideration, I think only semanage_t should be creating that > directory[1], so it should be the only domain with that filetrans. So something like: -/etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) +/etc/selinux/([^/]*/)?modules(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) And the filetrans currently in the policy (for "modules" directory) can stay?