From: dsugar@tresys.com (David Sugar) Date: Wed, 11 Oct 2017 15:08:19 +0000 Subject: [refpolicy] [PATCH 1/1] Allow semanage_t to manage directories Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Using semodule to install a module (and in turn rebuild the policy) is making a tmp directory. This directory creation was being denied (see below audit logs). The change allows these directories to be created (and removed). type=AVC msg=audit(1507612960.892:118): avc: denied { create } for pid=760 comm="semodule" name="tmp" scontext=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:selinux_config_t:s0 tclass=dir type=SYSCALL msg=audit(1507612960.892:118): arch=c000003e syscall=83 success=yes exit=0 a0=7f1c74600a50 a1=1c0 a2=fffffffffffffe90 a3=7ffd2b0c8500 items=2 ppid=759 pid=760 auid=998 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="semodule" exe="/usr/sbin/semodule" subj=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1507612985.155:120): avc: denied { rename } for pid=760 comm="semodule" name="active" dev="dm-0" ino=9858 scontext=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir type=SYSCALL msg=audit(1507612985.155:120): arch=c000003e syscall=82 success=yes exit=0 a0=7f1c74600590 a1=7f1c74601170 a2=fffffffffffffe90 a3=4 items=4 ppid=759 pid=760 auid=998 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="semodule" exe="/usr/sbin/semodule" subj=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1507612985.156:121): avc: denied { rename } for pid=760 comm="semodule" name="tmp" dev="dm-0" ino=9880 scontext=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:selinux_config_t:s0 tclass=dir type=SYSCALL msg=audit(1507612985.156:121): arch=c000003e syscall=82 success=yes exit=0 a0=7f1c74600a50 a1=7f1c74600590 a2=fffffffffffffe90 a3=4 items=4 ppid=759 pid=760 auid=998 uid=0 gid=0 euid=0 0=fsuid 0=suid egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="semodule" exe="/usr/sbin/semodule" subj=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 key=(null) type=MAC_POLICY_LOAD msg=audit(1507612985.219:123): policy loaded auid=998 ses=1 type=SYSCALL msg=audit(1507612985.219:123): arch=c000003e syscall=1 success=yes exit=596279 a0=4 a1=7f54cbec4010 a2=91937 a3=7ffcf0105890 items=0 ppid=760 pid=770 auid=998 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="load_policy" exe="/usr/sbin/load_policy" subj=staff_u:sysadm_r:load_policy_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1507612985.491:124): avc: denied { rmdir } for pid=760 comm="semodule" name="base" dev="dm-0" ino=100978805 scontext=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir type=SYSCALL msg=audit(1507612985.491:124): arch=c000003e syscall=84 success=yes exit=0 a0=7ffd2b0c8190 a1=ffffffff a2=7f1c735a1788 a3=7ffd2b0c7c70 items=2 ppid=759 pid=760 auid=998 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="semodule" exe="/usr/sbin/semodule" subj=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1507612985.497:125): avc: denied { rmdir } for pid=760 comm="semodule" name="files" dev="dm-0" ino=100929366 scontext=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:selinux_config_t:s0 tclass=dir type=SYSCALL msg=audit(1507612985.497:125): arch=c000003e syscall=84 success=yes exit=0 a0=7ffd2b0c8490 a1=ffffffff a2=7f1c735a1790 a3=1a items=2 ppid=759 pid=760 auid=998 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="semodule" exe="/usr/sbin/semodule" subj=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 key=(null) Signed-off-by: Dave Sugar --- policy/modules/system/selinuxutil.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index e9f86664..b14a901d 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -525,6 +525,7 @@ miscfiles_read_localization(semanage_t) seutil_libselinux_linked(semanage_t) seutil_manage_file_contexts(semanage_t) seutil_manage_config(semanage_t) +seutil_manage_config_dirs(semanage_t) seutil_run_setfiles(semanage_t, semanage_roles) seutil_run_loadpolicy(semanage_t, semanage_roles) seutil_manage_bin_policy(semanage_t) -- 2.13.5