From: dsugar@tresys.com (Dave Sugar)
Date: Wed, 11 Apr 2018 21:09:53 -0400
Subject: [refpolicy] [PATCH] Add files_base_type attribute to policy for
	RHEL 7.x
Message-ID: <20180412010953.22790-1-dsugar@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On RHEL 7.x I get the following traceback when using audit2allow.
It turns out Redhat checks for the existence of attribute 'base_file_type'.
Adding this attribute in order for the policycoreutil to function properly.

Traceback (most recent call last):
  File "/bin/audit2allow", line 365, in <module>
    app.main()
  File "/bin/audit2allow", line 351, in main
    self.__read_input()
  File "/bin/audit2allow", line 129, in __read_input
    parser = audit.AuditParser(last_load_only=self.__options.lastreload)
  File "/usr/lib64/python2.7/site-packages/sepolgen/audit.py", line 358, in __init__
    self.__initialize()
  File "/usr/lib64/python2.7/site-packages/sepolgen/audit.py", line 370, in __initialize
    self.__store_base_types()
  File "/usr/lib64/python2.7/site-packages/sepolgen/audit.py", line 549, in __store_base_types
    self.base_types = sepolicy.get_types_from_attribute("base_file_type")
  File "/usr/lib64/python2.7/site-packages/sepolicy/__init__.py", line 110, in get_types_from_attribute
    return info(ATTRIBUTE, attribute)[0]["types"]
  File "/usr/lib64/python2.7/site-packages/sepolicy/__init__.py", line 53, in info
    dict_list = _policy.info(setype, name)
RuntimeError: Invalid argument

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/kernel/domain.te |  6 ++++++
 policy/modules/kernel/files.if  | 21 +++++++++++++++++++++
 policy/modules/kernel/files.te  |  5 +++++
 3 files changed, 32 insertions(+)

diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index e44e3444..0ca26d5d 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -110,6 +110,12 @@ term_use_controlling_term(domain)
 # list the root directory
 files_list_root(domain)
 
+ifdef(`distro_redhat',`
+	# allow all domains to search through base_file_type directory, since users
+	# sometimes place labels within these directories.  (samba_share_t) for example.
+	files_search_base_file_types(domain)
+')
+
 ifdef(`hide_broken_symptoms',`
 	# This check is in the general socket
 	# listen code, before protocol-specific
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index e9bc8dd9..68b4af2d 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -7049,3 +7049,24 @@ interface(`files_unconfined',`
 
 	typeattribute $1 files_unconfined_type;
 ')
+
+#######################################
+## <summary>
+##	Search all base file dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`files_search_base_file_types',`
+	ifdef(`distro_redhat',`
+		gen_require(`
+			attribute base_file_type;
+		')
+	
+		allow $1 base_file_type:dir search_dir_perms;
+	')
+') 
+
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index f7cf321f..9dd721ed 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -5,6 +5,11 @@ policy_module(files, 1.25.1)
 # Declarations
 #
 
+
+ifdef(`distro_redhat',`
+	attribute base_file_type;
+')
+
 attribute file_type;
 attribute files_unconfined_type;
 attribute lockfile;
-- 
2.14.3