From: pebenito@ieee.org (Chris PeBenito) Date: Wed, 11 Oct 2017 18:34:10 -0400 Subject: [refpolicy] [PATCH 1/1] Allow semanage_t to manage directories In-Reply-To: References: Message-ID: <87e8b77b-a5ea-acf2-adef-30ad90a758ec@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 10/11/2017 11:08 AM, David Sugar via refpolicy wrote: > Using semodule to install a module (and in turn rebuild the policy) is making a tmp directory. This directory creation was being denied (see below audit logs). The change allows these directories to be created (and removed). > > type=AVC msg=audit(1507612960.892:118): avc: denied { create } for pid=760 comm="semodule" name="tmp" scontext=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:selinux_config_t:s0 tclass=dir type=SYSCALL msg=audit(1507612960.892:118): arch=c000003e syscall=83 success=yes exit=0 a0=7f1c74600a50 a1=1c0 a2=fffffffffffffe90 a3=7ffd2b0c8500 items=2 ppid=759 pid=760 auid=998 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="semodule" exe="/usr/sbin/semodule" subj=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 key=(null) > type=AVC msg=audit(1507612985.155:120): avc: denied { rename } for pid=760 comm="semodule" name="active" dev="dm-0" ino=9858 scontext=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir > type=SYSCALL msg=audit(1507612985.155:120): arch=c000003e syscall=82 success=yes exit=0 a0=7f1c74600590 a1=7f1c74601170 a2=fffffffffffffe90 a3=4 items=4 ppid=759 pid=760 auid=998 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="semodule" exe="/usr/sbin/semodule" subj=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 key=(null) > type=AVC msg=audit(1507612985.156:121): avc: denied { rename } for pid=760 comm="semodule" name="tmp" dev="dm-0" ino=9880 scontext=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:selinux_config_t:s0 tclass=dir > type=SYSCALL msg=audit(1507612985.156:121): arch=c000003e syscall=82 success=yes exit=0 a0=7f1c74600a50 a1=7f1c74600590 a2=fffffffffffffe90 a3=4 items=4 ppid=759 pid=760 auid=998 uid=0 gid=0 euid=0 0=fsuid 0=suid egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="semodule" exe="/usr/sbin/semodule" subj=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 key=(null) > type=MAC_POLICY_LOAD msg=audit(1507612985.219:123): policy loaded auid=998 ses=1 > type=SYSCALL msg=audit(1507612985.219:123): arch=c000003e syscall=1 success=yes exit=596279 a0=4 a1=7f54cbec4010 a2=91937 a3=7ffcf0105890 items=0 ppid=760 pid=770 auid=998 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="load_policy" exe="/usr/sbin/load_policy" subj=staff_u:sysadm_r:load_policy_t:s0-s0:c0.c1023 key=(null) > type=AVC msg=audit(1507612985.491:124): avc: denied { rmdir } for pid=760 comm="semodule" name="base" dev="dm-0" ino=100978805 scontext=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir > type=SYSCALL msg=audit(1507612985.491:124): arch=c000003e syscall=84 success=yes exit=0 a0=7ffd2b0c8190 a1=ffffffff a2=7f1c735a1788 a3=7ffd2b0c7c70 items=2 ppid=759 pid=760 auid=998 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="semodule" exe="/usr/sbin/semodule" subj=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 key=(null) > type=AVC msg=audit(1507612985.497:125): avc: denied { rmdir } for pid=760 comm="semodule" name="files" dev="dm-0" ino=100929366 scontext=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:selinux_config_t:s0 tclass=dir > type=SYSCALL msg=audit(1507612985.497:125): arch=c000003e syscall=84 success=yes exit=0 a0=7ffd2b0c8490 a1=ffffffff a2=7f1c735a1790 a3=1a items=2 ppid=759 pid=760 auid=998 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="semodule" exe="/usr/sbin/semodule" subj=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 key=(null) > > Signed-off-by: Dave Sugar > --- > policy/modules/system/selinuxutil.te | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te > index e9f86664..b14a901d 100644 > --- a/policy/modules/system/selinuxutil.te > +++ b/policy/modules/system/selinuxutil.te > @@ -525,6 +525,7 @@ miscfiles_read_localization(semanage_t) > seutil_libselinux_linked(semanage_t) > seutil_manage_file_contexts(semanage_t) > seutil_manage_config(semanage_t) > +seutil_manage_config_dirs(semanage_t) > seutil_run_setfiles(semanage_t, semanage_roles) > seutil_run_loadpolicy(semanage_t, semanage_roles) > seutil_manage_bin_policy(semanage_t) This shouldn't be necessary as current systems have the module store in /var/lib/selinux, which is all semanage_store_t. -- Chris PeBenito