From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Tue, 14 Jan 2014 09:05:23 -0500 Subject: [refpolicy] seutil_manage_module_store interface missing filetrans In-Reply-To: <20140114145958.0cbc3275@soldur.bigon.be> References: <20140114115712.6127e287@soldur.bigon.be> <52D540D1.8070105@tresys.com> <20140114145958.0cbc3275@soldur.bigon.be> Message-ID: <52D54423.3030309@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue Jan 14 08:59:58 2014, Laurent Bigonville wrote: > Le Tue, 14 Jan 2014 08:51:13 -0500, > "Christopher J. PeBenito" a ?crit : > >> On 01/14/14 05:57, Laurent Bigonville wrote: >>> Hi, >>> >>> I've noticed several days ago that semodules operations where >>> failing in enforcing mode. When adding a module: >>> >>> libsemanage.semanage_make_sandbox: Could not copy files to >>> sandbox /etc/selinux/default/modules/tmp. (Permission denied). >>> >>> Russel has proposed a patch to fix this this (side note:Russel, I >>> think this should go in the seutil_manage_module_store interface >>> instead of the .te): >>> >>> filetrans_pattern(semanage_t, selinux_config_t, semanage_store_t, >>> dir, "tmp") >>> >>> Looking at the Fedora policy, they also have: >>> >>> filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, >>> "active") filetrans_pattern($1, selinux_config_t, semanage_store_t, >>> dir, "previous") >>> >>> So I'll propose a patch to add these 3 rules. >>> >>> But seutil_manage_module_store also contains: >>> >>> filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, >>> "modules") >>> >>> This seems bogus to me if I'm looking at the .fc, >>> the /etc/selinux/default/modules directory is labeled as >>> selinux_config_t and not semanage_store_t. >>> And /etc/selinux/default/modules/active/modules will inherit the >>> proper context from the parent. >>> >>> So I'm not really sure this to which "modules" directory this was >>> referring to (I guess the toplevel one), and if the fcontext should >>> be modified or this rule be dropped? >> >> It should all be simplified, as everything >> under /etc/selinux/*/modules should be semanage_store_t, except for >> the two .LOCK files. Then we can probably drop the filetrans out of >> seutil_manage_module_store(). My guess is that rule found its way >> there due to seutil_manage_module_store(semanage_t). On further >> consideration, I think only semanage_t should be creating that >> directory[1], so it should be the only domain with that filetrans. > > So something like: > > -/etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) > +/etc/selinux/([^/]*/)?modules(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) > > And the filetrans currently in the policy (for "modules" directory) can > stay? Correct on the fc, but I'd move the filetrans out of the interface back into the .te, for semanage_t. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com