Using semodule to install a module (and in turn rebuild the policy) is making a tmp directory. This directory creation was being denied (see below audit logs). The change allows these directories to be created (and removed).
type=AVC msg=audit(1507612960.892:118): avc: denied { create } for pid=760 comm="semodule" name="tmp" scontext=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:selinux_config_t:s0 tclass=dir type=SYSCALL msg=audit(1507612960.892:118): arch=c000003e syscall=83 success=yes exit=0 a0=7f1c74600a50 a1=1c0 a2=fffffffffffffe90 a3=7ffd2b0c8500 items=2 ppid=759 pid=760 auid=998 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="semodule" exe="/usr/sbin/semodule" subj=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1507612985.155:120): avc: denied { rename } for pid=760 comm="semodule" name="active" dev="dm-0" ino=9858 scontext=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
type=SYSCALL msg=audit(1507612985.155:120): arch=c000003e syscall=82 success=yes exit=0 a0=7f1c74600590 a1=7f1c74601170 a2=fffffffffffffe90 a3=4 items=4 ppid=759 pid=760 auid=998 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="semodule" exe="/usr/sbin/semodule" subj=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1507612985.156:121): avc: denied { rename } for pid=760 comm="semodule" name="tmp" dev="dm-0" ino=9880 scontext=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:selinux_config_t:s0 tclass=dir
type=SYSCALL msg=audit(1507612985.156:121): arch=c000003e syscall=82 success=yes exit=0 a0=7f1c74600a50 a1=7f1c74600590 a2=fffffffffffffe90 a3=4 items=4 ppid=759 pid=760 auid=998 uid=0 gid=0 euid=0 0=fsuid 0=suid egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="semodule" exe="/usr/sbin/semodule" subj=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 key=(null)
type=MAC_POLICY_LOAD msg=audit(1507612985.219:123): policy loaded auid=998 ses=1
type=SYSCALL msg=audit(1507612985.219:123): arch=c000003e syscall=1 success=yes exit=596279 a0=4 a1=7f54cbec4010 a2=91937 a3=7ffcf0105890 items=0 ppid=760 pid=770 auid=998 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="load_policy" exe="/usr/sbin/load_policy" subj=staff_u:sysadm_r:load_policy_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1507612985.491:124): avc: denied { rmdir } for pid=760 comm="semodule" name="base" dev="dm-0" ino=100978805 scontext=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
type=SYSCALL msg=audit(1507612985.491:124): arch=c000003e syscall=84 success=yes exit=0 a0=7ffd2b0c8190 a1=ffffffff a2=7f1c735a1788 a3=7ffd2b0c7c70 items=2 ppid=759 pid=760 auid=998 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="semodule" exe="/usr/sbin/semodule" subj=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1507612985.497:125): avc: denied { rmdir } for pid=760 comm="semodule" name="files" dev="dm-0" ino=100929366 scontext=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:selinux_config_t:s0 tclass=dir
type=SYSCALL msg=audit(1507612985.497:125): arch=c000003e syscall=84 success=yes exit=0 a0=7ffd2b0c8490 a1=ffffffff a2=7f1c735a1790 a3=1a items=2 ppid=759 pid=760 auid=998 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="semodule" exe="/usr/sbin/semodule" subj=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 key=(null)
Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/system/selinuxutil.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index e9f86664..b14a901d 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -525,6 +525,7 @@ miscfiles_read_localization(semanage_t)
seutil_libselinux_linked(semanage_t)
seutil_manage_file_contexts(semanage_t)
seutil_manage_config(semanage_t)
+seutil_manage_config_dirs(semanage_t)
seutil_run_setfiles(semanage_t, semanage_roles)
seutil_run_loadpolicy(semanage_t, semanage_roles)
seutil_manage_bin_policy(semanage_t)
--
2.13.5
On 10/11/2017 11:08 AM, David Sugar via refpolicy wrote:
> Using semodule to install a module (and in turn rebuild the policy) is making a tmp directory. This directory creation was being denied (see below audit logs). The change allows these directories to be created (and removed).
>
> type=AVC msg=audit(1507612960.892:118): avc: denied { create } for pid=760 comm="semodule" name="tmp" scontext=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:selinux_config_t:s0 tclass=dir type=SYSCALL msg=audit(1507612960.892:118): arch=c000003e syscall=83 success=yes exit=0 a0=7f1c74600a50 a1=1c0 a2=fffffffffffffe90 a3=7ffd2b0c8500 items=2 ppid=759 pid=760 auid=998 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="semodule" exe="/usr/sbin/semodule" subj=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1507612985.155:120): avc: denied { rename } for pid=760 comm="semodule" name="active" dev="dm-0" ino=9858 scontext=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
> type=SYSCALL msg=audit(1507612985.155:120): arch=c000003e syscall=82 success=yes exit=0 a0=7f1c74600590 a1=7f1c74601170 a2=fffffffffffffe90 a3=4 items=4 ppid=759 pid=760 auid=998 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="semodule" exe="/usr/sbin/semodule" subj=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1507612985.156:121): avc: denied { rename } for pid=760 comm="semodule" name="tmp" dev="dm-0" ino=9880 scontext=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:selinux_config_t:s0 tclass=dir
> type=SYSCALL msg=audit(1507612985.156:121): arch=c000003e syscall=82 success=yes exit=0 a0=7f1c74600a50 a1=7f1c74600590 a2=fffffffffffffe90 a3=4 items=4 ppid=759 pid=760 auid=998 uid=0 gid=0 euid=0 0=fsuid 0=suid egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="semodule" exe="/usr/sbin/semodule" subj=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 key=(null)
> type=MAC_POLICY_LOAD msg=audit(1507612985.219:123): policy loaded auid=998 ses=1
> type=SYSCALL msg=audit(1507612985.219:123): arch=c000003e syscall=1 success=yes exit=596279 a0=4 a1=7f54cbec4010 a2=91937 a3=7ffcf0105890 items=0 ppid=760 pid=770 auid=998 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="load_policy" exe="/usr/sbin/load_policy" subj=staff_u:sysadm_r:load_policy_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1507612985.491:124): avc: denied { rmdir } for pid=760 comm="semodule" name="base" dev="dm-0" ino=100978805 scontext=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
> type=SYSCALL msg=audit(1507612985.491:124): arch=c000003e syscall=84 success=yes exit=0 a0=7ffd2b0c8190 a1=ffffffff a2=7f1c735a1788 a3=7ffd2b0c7c70 items=2 ppid=759 pid=760 auid=998 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="semodule" exe="/usr/sbin/semodule" subj=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1507612985.497:125): avc: denied { rmdir } for pid=760 comm="semodule" name="files" dev="dm-0" ino=100929366 scontext=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:selinux_config_t:s0 tclass=dir
> type=SYSCALL msg=audit(1507612985.497:125): arch=c000003e syscall=84 success=yes exit=0 a0=7ffd2b0c8490 a1=ffffffff a2=7f1c735a1790 a3=1a items=2 ppid=759 pid=760 auid=998 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="semodule" exe="/usr/sbin/semodule" subj=staff_u:sysadm_r:semanage_t:s0-s0:c0.c1023 key=(null)
>
> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/system/selinuxutil.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
> index e9f86664..b14a901d 100644
> --- a/policy/modules/system/selinuxutil.te
> +++ b/policy/modules/system/selinuxutil.te
> @@ -525,6 +525,7 @@ miscfiles_read_localization(semanage_t)
> seutil_libselinux_linked(semanage_t)
> seutil_manage_file_contexts(semanage_t)
> seutil_manage_config(semanage_t)
> +seutil_manage_config_dirs(semanage_t)
> seutil_run_setfiles(semanage_t, semanage_roles)
> seutil_run_loadpolicy(semanage_t, semanage_roles)
> seutil_manage_bin_policy(semanage_t)
This shouldn't be necessary as current systems have the module store in
/var/lib/selinux, which is all semanage_store_t.
--
Chris PeBenito
> -----Original Message-----
> From: Chris PeBenito [mailto:pebenito at ieee.org]
> Sent: Wednesday, October 11, 2017 6:34 PM
> To: David Sugar; refpolicy at oss.tresys.com
> Subject: Re: [refpolicy] [PATCH 1/1] Allow semanage_t to manage
> directories
>
> On 10/11/2017 11:08 AM, David Sugar via refpolicy wrote:
> > Using semodule to install a module (and in turn rebuild the policy) is
> making a tmp directory. This directory creation was being denied (see
> below audit logs). The change allows these directories to be created
> (and removed).
> >
... snip ...
> >
> > Signed-off-by: Dave Sugar <[email protected]>
> > ---
> > policy/modules/system/selinuxutil.te | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/policy/modules/system/selinuxutil.te
> > b/policy/modules/system/selinuxutil.te
> > index e9f86664..b14a901d 100644
> > --- a/policy/modules/system/selinuxutil.te
> > +++ b/policy/modules/system/selinuxutil.te
> > @@ -525,6 +525,7 @@ miscfiles_read_localization(semanage_t)
> > seutil_libselinux_linked(semanage_t)
> > seutil_manage_file_contexts(semanage_t)
> > seutil_manage_config(semanage_t)
> > +seutil_manage_config_dirs(semanage_t)
> > seutil_run_setfiles(semanage_t, semanage_roles)
> > seutil_run_loadpolicy(semanage_t, semanage_roles)
> > seutil_manage_bin_policy(semanage_t)
>
>
> This shouldn't be necessary as current systems have the module store in
> /var/lib/selinux, which is all semanage_store_t.
>
Thanks for pointing this out. It turns out that RHEL 7.3 (and 7.4) are still defaulting the store-root to /etc/selinux hence the denial I was seeing. They make a reference to this in the 7.3 release notes, "Chapter 15: Security" (page 83) of the RHEL 7.3 changelog [1] mentions the update of selinux userspace and the /var/lib/selinux vs /etc/selinux issue. Supposedly RedHat bugzilla #1297815 contains the reason they default to /etc/selinux, but it looks like it isn't a publicly viewable bug.
I have changed the store-root in /etc/selinux/semange.conf to point to /var/lib/selinux on the system I am working on and it seems to be functioning correctly (with minimal testing so far). If for some reason I find problems I will resubmit with an 'ifdef(distro_redhat)' around that interface call.
[1]
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/pdf/7.3_Release_Notes/Red_Hat_Enterprise_Linux-7-7.3_Release_Notes-en-US.pdf
> --
> Chris PeBenito