From: pebenito@ieee.org (Chris PeBenito) Date: Thu, 12 Apr 2018 18:55:08 -0400 Subject: [refpolicy] [PATCH] Add files_base_type attribute to policy for RHEL 7.x In-Reply-To: <20180412010953.22790-1-dsugar@tresys.com> References: <20180412010953.22790-1-dsugar@tresys.com> Message-ID: <431f484d-ba55-1528-7848-e7baa1a49fa1@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 04/11/2018 09:09 PM, Dave Sugar via refpolicy wrote: > On RHEL 7.x I get the following traceback when using audit2allow. > It turns out Redhat checks for the existence of attribute 'base_file_type'. > Adding this attribute in order for the policycoreutil to function properly. > > Traceback (most recent call last): > File "/bin/audit2allow", line 365, in > app.main() > File "/bin/audit2allow", line 351, in main > self.__read_input() > File "/bin/audit2allow", line 129, in __read_input > parser = audit.AuditParser(last_load_only=self.__options.lastreload) > File "/usr/lib64/python2.7/site-packages/sepolgen/audit.py", line 358, in __init__ > self.__initialize() > File "/usr/lib64/python2.7/site-packages/sepolgen/audit.py", line 370, in __initialize > self.__store_base_types() > File "/usr/lib64/python2.7/site-packages/sepolgen/audit.py", line 549, in __store_base_types > self.base_types = sepolicy.get_types_from_attribute("base_file_type") > File "/usr/lib64/python2.7/site-packages/sepolicy/__init__.py", line 110, in get_types_from_attribute > return info(ATTRIBUTE, attribute)[0]["types"] > File "/usr/lib64/python2.7/site-packages/sepolicy/__init__.py", line 53, in info > dict_list = _policy.info(setype, name) > RuntimeError: Invalid argument This is a bug in audit2allow. It shouldn't be hard-coding policy symbols. NAK > Signed-off-by: Dave Sugar > --- > policy/modules/kernel/domain.te | 6 ++++++ > policy/modules/kernel/files.if | 21 +++++++++++++++++++++ > policy/modules/kernel/files.te | 5 +++++ > 3 files changed, 32 insertions(+) > > diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te > index e44e3444..0ca26d5d 100644 > --- a/policy/modules/kernel/domain.te > +++ b/policy/modules/kernel/domain.te > @@ -110,6 +110,12 @@ term_use_controlling_term(domain) > # list the root directory > files_list_root(domain) > > +ifdef(`distro_redhat',` > + # allow all domains to search through base_file_type directory, since users > + # sometimes place labels within these directories. (samba_share_t) for example. > + files_search_base_file_types(domain) > +') > + > ifdef(`hide_broken_symptoms',` > # This check is in the general socket > # listen code, before protocol-specific > diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if > index e9bc8dd9..68b4af2d 100644 > --- a/policy/modules/kernel/files.if > +++ b/policy/modules/kernel/files.if > @@ -7049,3 +7049,24 @@ interface(`files_unconfined',` > > typeattribute $1 files_unconfined_type; > ') > + > +####################################### > +## > +## Search all base file dirs. > +## > +## > +## > +## Domain allowed access > +## > +## > +# > +interface(`files_search_base_file_types',` > + ifdef(`distro_redhat',` > + gen_require(` > + attribute base_file_type; > + ') > + > + allow $1 base_file_type:dir search_dir_perms; > + ') > +') > + > diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te > index f7cf321f..9dd721ed 100644 > --- a/policy/modules/kernel/files.te > +++ b/policy/modules/kernel/files.te > @@ -5,6 +5,11 @@ policy_module(files, 1.25.1) > # Declarations > # > > + > +ifdef(`distro_redhat',` > + attribute base_file_type; > +') > + > attribute file_type; > attribute files_unconfined_type; > attribute lockfile; > -- Chris PeBenito