From: dsugar@tresys.com (Dave Sugar) Date: Wed, 11 Apr 2018 21:09:53 -0400 Subject: [refpolicy] [PATCH] Add files_base_type attribute to policy for RHEL 7.x Message-ID: <20180412010953.22790-1-dsugar@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On RHEL 7.x I get the following traceback when using audit2allow. It turns out Redhat checks for the existence of attribute 'base_file_type'. Adding this attribute in order for the policycoreutil to function properly. Traceback (most recent call last): File "/bin/audit2allow", line 365, in app.main() File "/bin/audit2allow", line 351, in main self.__read_input() File "/bin/audit2allow", line 129, in __read_input parser = audit.AuditParser(last_load_only=self.__options.lastreload) File "/usr/lib64/python2.7/site-packages/sepolgen/audit.py", line 358, in __init__ self.__initialize() File "/usr/lib64/python2.7/site-packages/sepolgen/audit.py", line 370, in __initialize self.__store_base_types() File "/usr/lib64/python2.7/site-packages/sepolgen/audit.py", line 549, in __store_base_types self.base_types = sepolicy.get_types_from_attribute("base_file_type") File "/usr/lib64/python2.7/site-packages/sepolicy/__init__.py", line 110, in get_types_from_attribute return info(ATTRIBUTE, attribute)[0]["types"] File "/usr/lib64/python2.7/site-packages/sepolicy/__init__.py", line 53, in info dict_list = _policy.info(setype, name) RuntimeError: Invalid argument Signed-off-by: Dave Sugar --- policy/modules/kernel/domain.te | 6 ++++++ policy/modules/kernel/files.if | 21 +++++++++++++++++++++ policy/modules/kernel/files.te | 5 +++++ 3 files changed, 32 insertions(+) diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te index e44e3444..0ca26d5d 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -110,6 +110,12 @@ term_use_controlling_term(domain) # list the root directory files_list_root(domain) +ifdef(`distro_redhat',` + # allow all domains to search through base_file_type directory, since users + # sometimes place labels within these directories. (samba_share_t) for example. + files_search_base_file_types(domain) +') + ifdef(`hide_broken_symptoms',` # This check is in the general socket # listen code, before protocol-specific diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index e9bc8dd9..68b4af2d 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -7049,3 +7049,24 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') + +####################################### +## +## Search all base file dirs. +## +## +## +## Domain allowed access +## +## +# +interface(`files_search_base_file_types',` + ifdef(`distro_redhat',` + gen_require(` + attribute base_file_type; + ') + + allow $1 base_file_type:dir search_dir_perms; + ') +') + diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index f7cf321f..9dd721ed 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -5,6 +5,11 @@ policy_module(files, 1.25.1) # Declarations # + +ifdef(`distro_redhat',` + attribute base_file_type; +') + attribute file_type; attribute files_unconfined_type; attribute lockfile; -- 2.14.3