From mboxrd@z Thu Jan 1 00:00:00 1970 From: dominick.grift@gmail.com (Dominick Grift) Date: Fri, 27 Sep 2013 22:25:11 +0200 Subject: [refpolicy] [PATCH] selinuxutil: semanage create, rmdir, rename directories tmp, active, previous in /etc/selinux/default/modules/ when i use semanage fcontext -a ... In-Reply-To: <5245E94D.401@tresys.com> References: <1380274015-28055-1-git-send-email-dominick.grift@gmail.com> <5245E3D5.8070309@tresys.com> <1380312364.23967.2.camel@d30> <5245E94D.401@tresys.com> Message-ID: <1380313511.23967.3.camel@d30> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, 2013-09-27 at 16:23 -0400, Christopher J. PeBenito wrote: > On Fri 27 Sep 2013 04:06:04 PM EDT, Dominick Grift wrote: > > On Fri, 2013-09-27 at 16:00 -0400, Christopher J. PeBenito wrote: > >> On Fri 27 Sep 2013 05:26:55 AM EDT, Dominick Grift wrote: > >>> > >>> Signed-off-by: Dominick Grift > >>> diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te > >>> index ec01d0b..246fa97 100644 > >>> --- a/policy/modules/system/selinuxutil.te > >>> +++ b/policy/modules/system/selinuxutil.te > >>> @@ -492,6 +492,7 @@ > >>> seutil_libselinux_linked(semanage_t) > >>> seutil_manage_file_contexts(semanage_t) > >>> seutil_manage_config(semanage_t) > >>> +seutil_manage_config_dirs(semanage_t) > >>> seutil_run_setfiles(semanage_t, semanage_roles) > >>> seutil_run_loadpolicy(semanage_t, semanage_roles) > >>> seutil_manage_bin_policy(semanage_t) > >> > >> Sounds like mislabeled files. Everything under /etc/selinux/*/modules > >> should be semanage_store_t. > > > > Not really its create a tmp dir under /etc/selinux/default/modules > > (inheriting the type of the parent) then it renames, and removes that > > dir. > > > > You want me to tell selinux that semanage_t creates that tmp dir with a > > type transition from selinux_config_t to semanage_store_t? > > That seems like a better choice. Alternatively we can look at making > the fc change to: > > /etc/selinux/([^/]*/)?modules(/.*)? > gen_context(system_u:object_r:semanage_store_t,s0) > > but that may have a broader impact. > Ok i will take my time and investage this further > -- > Chris PeBenito > Tresys Technology, LLC > www.tresys.com | oss.tresys.com