From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Wed, 3 Dec 2014 08:12:21 -0500 Subject: [refpolicy] [PATCH] Update policy for selinux userspace moving the policy store to /var/lib/selinux In-Reply-To: <1417537964-16125-1-git-send-email-slawrence@tresys.com> References: <1417537964-16125-1-git-send-email-slawrence@tresys.com> Message-ID: <547F0C35.6060906@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/2/2014 11:32 AM, Steve Lawrence wrote: > This keeps /var/lib/selinux labeled as semanage_var_lib_t, but all > directories inside it are now labeled semanage_store_t, except for lock > files. Is there anything other than module stores in /var/lib/selinux? I don't see anything else on my systems. If so, we should drop semanage_var_lib_t (make it an alias of semanage_store_t for compat) and make everything under /var/lib/selinux semanage_store_t (except the locks of course). > Signed-off-by: Steve Lawrence > --- > policy/modules/system/selinuxutil.fc | 6 +++++- > policy/modules/system/selinuxutil.if | 3 ++- > policy/modules/system/selinuxutil.te | 1 + > 3 files changed, 8 insertions(+), 2 deletions(-) > > diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc > index ec19d63..8f1eb3c 100644 > --- a/policy/modules/system/selinuxutil.fc > +++ b/policy/modules/system/selinuxutil.fc > @@ -41,11 +41,15 @@ > /usr/sbin/setsebool -- gen_context(system_u:object_r:semanage_exec_t,s0) > /usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0) > /usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0) > +/usr/libexec/selinux/semanage_migrate_store -- gen_context(system_u:object_r:semanage_exec_t,s0) > > # > # /var/lib > # > -/var/lib/selinux(/.*)? gen_context(system_u:object_r:semanage_var_lib_t,s0) > +/var/lib/selinux -d gen_context(system_u:object_r:semanage_var_lib_t,s0) > +/var/lib/selinux/.* gen_context(system_u:object_r:semanage_store_t,s0) > +/var/lib/selinux/[^/]+/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0) > +/var/lib/selinux/[^/]+/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0) > > # > # /var/run > diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if > index bee06f4..ae280bd 100644 > --- a/policy/modules/system/selinuxutil.if > +++ b/policy/modules/system/selinuxutil.if > @@ -1037,11 +1037,12 @@ interface(`seutil_run_semanage',` > # > interface(`seutil_manage_module_store',` > gen_require(` > - type selinux_config_t, semanage_store_t; > + type selinux_config_t, semanage_store_t, semanage_var_lib_t; > ') > > files_search_etc($1) > manage_dirs_pattern($1, selinux_config_t, semanage_store_t) > + manage_dirs_pattern($1, semanage_var_lib_t, semanage_store_t) > manage_files_pattern($1, semanage_store_t, semanage_store_t) > manage_lnk_files_pattern($1, semanage_store_t, semanage_store_t) > ') > diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te > index c322a6f..a73874c 100644 > --- a/policy/modules/system/selinuxutil.te > +++ b/policy/modules/system/selinuxutil.te > @@ -454,6 +454,7 @@ allow semanage_t semanage_tmp_t:dir manage_dir_perms; > allow semanage_t semanage_tmp_t:file manage_file_perms; > files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir }) > > +filetrans_pattern(semanage_t, semanage_var_lib_t, semanage_store_t, dir) > manage_dirs_pattern(semanage_t, semanage_var_lib_t, semanage_var_lib_t) > manage_files_pattern(semanage_t, semanage_var_lib_t, semanage_var_lib_t) > > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com