From: dsugar@tresys.com (David Sugar) Date: Thu, 12 Oct 2017 16:10:51 +0000 Subject: [refpolicy] [PATCH 1/1] Allow semanage_t to manage directories In-Reply-To: <87e8b77b-a5ea-acf2-adef-30ad90a758ec@ieee.org> References: <87e8b77b-a5ea-acf2-adef-30ad90a758ec@ieee.org> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com > -----Original Message----- > From: Chris PeBenito [mailto:pebenito at ieee.org] > Sent: Wednesday, October 11, 2017 6:34 PM > To: David Sugar; refpolicy at oss.tresys.com > Subject: Re: [refpolicy] [PATCH 1/1] Allow semanage_t to manage > directories > > On 10/11/2017 11:08 AM, David Sugar via refpolicy wrote: > > Using semodule to install a module (and in turn rebuild the policy) is > making a tmp directory. This directory creation was being denied (see > below audit logs). The change allows these directories to be created > (and removed). > > ... snip ... > > > > Signed-off-by: Dave Sugar > > --- > > policy/modules/system/selinuxutil.te | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/policy/modules/system/selinuxutil.te > > b/policy/modules/system/selinuxutil.te > > index e9f86664..b14a901d 100644 > > --- a/policy/modules/system/selinuxutil.te > > +++ b/policy/modules/system/selinuxutil.te > > @@ -525,6 +525,7 @@ miscfiles_read_localization(semanage_t) > > seutil_libselinux_linked(semanage_t) > > seutil_manage_file_contexts(semanage_t) > > seutil_manage_config(semanage_t) > > +seutil_manage_config_dirs(semanage_t) > > seutil_run_setfiles(semanage_t, semanage_roles) > > seutil_run_loadpolicy(semanage_t, semanage_roles) > > seutil_manage_bin_policy(semanage_t) > > > This shouldn't be necessary as current systems have the module store in > /var/lib/selinux, which is all semanage_store_t. > Thanks for pointing this out. It turns out that RHEL 7.3 (and 7.4) are still defaulting the store-root to /etc/selinux hence the denial I was seeing. They make a reference to this in the 7.3 release notes, "Chapter 15: Security" (page 83) of the RHEL 7.3 changelog [1] mentions the update of selinux userspace and the /var/lib/selinux vs /etc/selinux issue. Supposedly RedHat bugzilla #1297815 contains the reason they default to /etc/selinux, but it looks like it isn't a publicly viewable bug. I have changed the store-root in /etc/selinux/semange.conf to point to /var/lib/selinux on the system I am working on and it seems to be functioning correctly (with minimal testing so far). If for some reason I find problems I will resubmit with an 'ifdef(distro_redhat)' around that interface call. [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/pdf/7.3_Release_Notes/Red_Hat_Enterprise_Linux-7-7.3_Release_Notes-en-US.pdf > -- > Chris PeBenito