From: pebenito@ieee.org (Chris PeBenito) Date: Thu, 11 May 2017 19:47:45 -0400 Subject: [refpolicy] [PATCH v2] system/selinuxutil: Allow semanage to execute its tmp files In-Reply-To: <20170508170214.7425-1-aranea@aixah.de> References: <20170508170214.7425-1-aranea@aixah.de> Message-ID: <4bcf4d3d-ad6c-17d4-c4c0-5142694a78cf@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 05/08/2017 01:02 PM, Luis Ressel via refpolicy wrote: > Since app-admin/setools-4.1.0, some python internals try to create and > execute a file in /tmp during semanage initalization, causing semanage > to crash. Here's the backtrace (with the path > "/usr/lib64/python3.4/site-packages" replaced by "py" for brevity): > > Traceback (most recent call last): > File "/usr/lib/python-exec/python3.4/semanage", line 28, in > import seobject > File "py/seobject.py", line 34, in > import sepolicy > File "py/sepolicy/__init__.py", line 8, in > import setools > File "py/setools/__init__.py", line 77, in > from .infoflow import InfoFlowAnalysis > File "py/setools/infoflow.py", line 22, in > import networkx as nx > File "py/networkx/__init__.py", line 93, in > import networkx.linalg > File "py/networkx/linalg/__init__.py", line 9, in > from networkx.linalg.algebraicconnectivity import * > File "py/networkx/linalg/algebraicconnectivity.py", line 18, in > from numpy import (array, asmatrix, asarray, dot, matrix, ndarray, ones, > File "py/numpy/__init__.py", line 180, in > from . import add_newdocs > File "py/numpy/add_newdocs.py", line 13, in > from numpy.lib import add_newdoc > File "py/numpy/lib/__init__.py", line 8, in > from .type_check import * > File "py/numpy/lib/type_check.py", line 11, in > import numpy.core.numeric as _nx > File "py/numpy/core/__init__.py", line 22, in > from . import _internal # for freeze programs > File "py/numpy/core/_internal.py", line 14, in > import ctypes > File "/usr/lib64/python3.4/ctypes/__init__.py", line 541, in > _reset_cache() > File "/usr/lib64/python3.4/ctypes/__init__.py", line 280, in _reset_cache > CFUNCTYPE(c_int)(lambda: None) > MemoryError > --- > policy/modules/system/selinuxutil.te | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te > index 13213552..1475c2e7 100644 > --- a/policy/modules/system/selinuxutil.te > +++ b/policy/modules/system/selinuxutil.te > @@ -484,7 +484,7 @@ allow semanage_t policy_src_t:dir search; > filetrans_pattern(semanage_t, selinux_config_t, semanage_store_t, dir, "modules") > > allow semanage_t semanage_tmp_t:dir manage_dir_perms; > -allow semanage_t semanage_tmp_t:file manage_file_perms; > +allow semanage_t semanage_tmp_t:file { manage_file_perms mmap_file_perms }; > files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir }) > > kernel_read_system_state(semanage_t) I'm sad it does this simply by by importing setools :( Merged. -- Chris PeBenito