From: dac.override@gmail.com (Dominick Grift)
Date: Mon, 8 May 2017 18:03:20 +0200
Subject: [refpolicy] [PATCH] system/selinuxutil: Allow semanage to
 execute its tmp files
In-Reply-To: <20170508154628.3088-1-aranea@aixah.de>
References: <20170508154628.3088-1-aranea@aixah.de>
Message-ID: <20170508160320.GD3701@julius>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, May 08, 2017 at 05:46:28PM +0200, Luis Ressel via refpolicy wrote:
> Since app-admin/setools-4.1.0, some python internals try to create and
> execute a file in /tmp during semanage initalization, causing semanage
> to crash. Here's the backtrace (with the path
> "/usr/lib64/python3.4/site-packages" replaced by "py" for brevity):
> 
> Traceback (most recent call last):
>   File "/usr/lib/python-exec/python3.4/semanage", line 28, in <module>
>     import seobject
>   File "py/seobject.py", line 34, in <module>
>     import sepolicy
>   File "py/sepolicy/__init__.py", line 8, in <module>
>     import setools
>   File "py/setools/__init__.py", line 77, in <module>
>     from .infoflow import InfoFlowAnalysis
>   File "py/setools/infoflow.py", line 22, in <module>
>     import networkx as nx
>   File "py/networkx/__init__.py", line 93, in <module>
>     import networkx.linalg
>   File "py/networkx/linalg/__init__.py", line 9, in <module>
>     from networkx.linalg.algebraicconnectivity import *
>   File "py/networkx/linalg/algebraicconnectivity.py", line 18, in <module>
>     from numpy import (array, asmatrix, asarray, dot, matrix, ndarray, ones,
>   File "py/numpy/__init__.py", line 180, in <module>
>     from . import add_newdocs
>   File "py/numpy/add_newdocs.py", line 13, in <module>
>     from numpy.lib import add_newdoc
>   File "py/numpy/lib/__init__.py", line 8, in <module>
>     from .type_check import *
>   File "py/numpy/lib/type_check.py", line 11, in <module>
>     import numpy.core.numeric as _nx
>   File "py/numpy/core/__init__.py", line 22, in <module>
>     from . import _internal  # for freeze programs
>   File "py/numpy/core/_internal.py", line 14, in <module>
>     import ctypes
>   File "/usr/lib64/python3.4/ctypes/__init__.py", line 541, in <module>
>     _reset_cache()
>   File "/usr/lib64/python3.4/ctypes/__init__.py", line 280, in _reset_cache
>     CFUNCTYPE(c_int)(lambda: None)
> MemoryError
> ---
>  policy/modules/system/selinuxutil.te | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
> index 13213552..6380a62a 100644
> --- a/policy/modules/system/selinuxutil.te
> +++ b/policy/modules/system/selinuxutil.te
> @@ -484,7 +484,7 @@ allow semanage_t policy_src_t:dir search;
>  filetrans_pattern(semanage_t, selinux_config_t, semanage_store_t, dir, "modules")
>  
>  allow semanage_t semanage_tmp_t:dir manage_dir_perms;
> -allow semanage_t semanage_tmp_t:file manage_file_perms;
> +allow semanage_t semanage_tmp_t:file { manage_file_perms exec_file_perms };

use mmap_file_perms instead

>  files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
>  
>  kernel_read_system_state(semanage_t)
> -- 
> 2.12.2
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170508/f2ecb54b/attachment.bin