[refpolicy] two fixups for semanage_t: able to read from userhomedirs and manage policy store dir

[refpolicy] two fixups for semanage_t: able to read from userhomedirs and manage policy store dir

[HarryCiao]

1. 
Make semanage_t able to read from user homedirs or /tmp. Otherwise it
would fail to upgrade a .pp installed in there with below error messages.
BTW, semanage_t should be able to upgrade existing pp no matter if the
MLS is enabled or not.
 
root at qemu-host:/root> semodule -u selinuxutil.pp
type=1400 audit(1288862875.298:60): avc: denied { search } for pid=759 comm="semodule" name="root" dev=sda ino=81921 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_dir_t:s0-s15:c0.c1023 tclass=dir
semodule: Failed on selinuxutil.pp!
root at qemu-host:/root> setenforce 0
type=1404 audit(1288862957.386:61): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295
root at qemu-host:/root> semodule -u selinuxutil.pp
type=1400 audit(1288862959.494:62): avc: denied { search } for pid=761 comm="semodule" name="root" dev=sda ino=81921 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_dir_t:s0-s15:c0.c1023 tclass=dir
type=1400 audit(1288862959.498:63): avc: denied { read } for pid=761 comm="semodule" name="selinuxutil.pp" dev=sda ino=82505 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=file
type=1400 audit(1288862959.503:64): avc: denied { open } for pid=761 comm="semodule" name="selinuxutil.pp" dev=sda ino=82505 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=file
type=1400 audit(1288862959.507:65): avc: denied { getattr } for pid=761 comm="semodule" path="/root/selinuxutil.pp" dev=sda ino=82505 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=file
type=1403 audit(1288863419.918:66): policy loaded auid=4294967295 ses=4294967295
root at qemu-host:/root>
 
2. 
Make semanage_t able to manage the policy store directory, otherwise it
would fail to update an existing pp.
 
root at qemu-host:/root> semodule -u vlock.pp
type=1400 audit(1288236528.567:27): avc: denied { rename } for pid=696 comm="semodule" name="active" dev=sda ino=76175 scontext=root:sysadm_r:semanage_t tcontext=unconfined_u:object_r:selinux_config_t tclass=dir
libsemanage.semanage_commit_sandbox: Error while renaming /etc/selinux/refpolicy/modules/active to /etc/selinux/refpolicy/modules/previous. (Permission denied).
semodule: Failed!
 
type=1400 audit(1288239973.335:31): avc: denied { rmdir } for pid=701 comm="semodule" name="modules" dev=sda ino=76184 scontext=root:sysadm_r:semanage_t tcontext=unconfined_u:object_r:selinux_config_t tclass=dir 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20101221/6d3c6246/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-semanage_t-read-from-userhomedirs.patch
Type: application/octet-stream
Size: 3175 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101221/6d3c6246/attachment-0002.obj 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-semanage_t-manage-policy-store.patch
Type: application/octet-stream
Size: 1697 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101221/6d3c6246/attachment-0003.obj 

[refpolicy] two fixups for semanage_t: able to read from userhomedirs and manage policy store dir

[Christopher J. PeBenito]

On 12/20/10 22:35, HarryCiao wrote:
> 1. Make semanage_t able to read from user homedirs or /tmp. Otherwise it
> would fail to upgrade a .pp installed in there with below error messages.
> BTW, semanage_t should be able to upgrade existing pp no matter if the
> MLS is enabled or not.
>  
> root at qemu-host:/root> semodule -u selinuxutil.pp
> type=1400 audit(1288862875.298:60): avc: denied { search } for pid=759
> comm="semodule" name="root" dev=sda ino=81921
> scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023
> tcontext=root:object_r:user_home_dir_t:s0-s15:c0.c1023 tclass=dir
> semodule: Failed on selinuxutil.pp!
> root at qemu-host:/root> setenforce 0
> type=1404 audit(1288862957.386:61): enforcing=0 old_enforcing=1
> auid=4294967295 ses=4294967295
> root at qemu-host:/root> semodule -u selinuxutil.pp
> type=1400 audit(1288862959.494:62): avc: denied { search } for pid=761
> comm="semodule" name="root" dev=sda ino=81921
> scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023
> tcontext=root:object_r:user_home_dir_t:s0-s15:c0.c1023 tclass=dir
> type=1400 audit(1288862959.498:63): avc: denied { read } for pid=761
> comm="semodule" name="selinuxutil.pp" dev=sda ino=82505
> scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023
> tcontext=root:object_r:user_home_t:s0 tclass=file
> type=1400 audit(1288862959.503:64): avc: denied { open } for pid=761
> comm="semodule" name="selinuxutil.pp" dev=sda ino=82505
> scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023
> tcontext=root:object_r:user_home_t:s0 tclass=file
> type=1400 audit(1288862959.507:65): avc: denied { getattr } for pid=761
> comm="semodule" path="/root/selinuxutil.pp" dev=sda ino=82505
> scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023
> tcontext=root:object_r:user_home_t:s0 tclass=file
> type=1403 audit(1288863419.918:66): policy loaded auid=4294967295
> ses=4294967295
> root at qemu-host:/root>

Merged.

> 2. 
> Make semanage_t able to manage the policy store directory, otherwise it
> would fail to update an existing pp.
>  
> root at qemu-host:/root> semodule -u vlock.pp
> type=1400 audit(1288236528.567:27): avc: denied { rename } for pid=696
> comm="semodule" name="active" dev=sda ino=76175
> scontext=root:sysadm_r:semanage_t
> tcontext=unconfined_u:object_r:selinux_config_t tclass=dir
> libsemanage.semanage_commit_sandbox: Error while renaming
> /etc/selinux/refpolicy/modules/active to
> /etc/selinux/refpolicy/modules/previous. (Permission denied).
> semodule: Failed!
>  
> type=1400 audit(1288239973.335:31): avc: denied { rmdir } for pid=701
> comm="semodule" name="modules" dev=sda ino=76184
> scontext=root:sysadm_r:semanage_t
> tcontext=unconfined_u:object_r:selinux_config_t tclass=dir

These directories are mislabeled.  They should be semanage_store_t, not
selinux_config_t.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] two fixups for semanage_t: able to read from userhomedirs and manage policy store dir

[HarryCiao]

Thanks Chris! 

I really should have been more careful to find the policy store not properly labeled as semanage_store_t!

Best regards,
Harry

> Date: Mon, 10 Jan 2011 09:27:06 -0500
> From: cpebenito at tresys.com
> To: harrytaurus2002 at hotmail.com
> CC: refpolicy at oss.tresys.com
> Subject: Re: two fixups for semanage_t: able to read from userhomedirs and manage policy store dir
> 
> On 12/20/10 22:35, HarryCiao wrote:
> > 1. Make semanage_t able to read from user homedirs or /tmp. Otherwise it
> > would fail to upgrade a .pp installed in there with below error messages.
> > BTW, semanage_t should be able to upgrade existing pp no matter if the
> > MLS is enabled or not.
> >  
> > root at qemu-host:/root> semodule -u selinuxutil.pp
> > type=1400 audit(1288862875.298:60): avc: denied { search } for pid=759
> > comm="semodule" name="root" dev=sda ino=81921
> > scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023
> > tcontext=root:object_r:user_home_dir_t:s0-s15:c0.c1023 tclass=dir
> > semodule: Failed on selinuxutil.pp!
> > root at qemu-host:/root> setenforce 0
> > type=1404 audit(1288862957.386:61): enforcing=0 old_enforcing=1
> > auid=4294967295 ses=4294967295
> > root at qemu-host:/root> semodule -u selinuxutil.pp
> > type=1400 audit(1288862959.494:62): avc: denied { search } for pid=761
> > comm="semodule" name="root" dev=sda ino=81921
> > scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023
> > tcontext=root:object_r:user_home_dir_t:s0-s15:c0.c1023 tclass=dir
> > type=1400 audit(1288862959.498:63): avc: denied { read } for pid=761
> > comm="semodule" name="selinuxutil.pp" dev=sda ino=82505
> > scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023
> > tcontext=root:object_r:user_home_t:s0 tclass=file
> > type=1400 audit(1288862959.503:64): avc: denied { open } for pid=761
> > comm="semodule" name="selinuxutil.pp" dev=sda ino=82505
> > scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023
> > tcontext=root:object_r:user_home_t:s0 tclass=file
> > type=1400 audit(1288862959.507:65): avc: denied { getattr } for pid=761
> > comm="semodule" path="/root/selinuxutil.pp" dev=sda ino=82505
> > scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023
> > tcontext=root:object_r:user_home_t:s0 tclass=file
> > type=1403 audit(1288863419.918:66): policy loaded auid=4294967295
> > ses=4294967295
> > root at qemu-host:/root>
> 
> Merged.
> 
> > 2. 
> > Make semanage_t able to manage the policy store directory, otherwise it
> > would fail to update an existing pp.
> >  
> > root at qemu-host:/root> semodule -u vlock.pp
> > type=1400 audit(1288236528.567:27): avc: denied { rename } for pid=696
> > comm="semodule" name="active" dev=sda ino=76175
> > scontext=root:sysadm_r:semanage_t
> > tcontext=unconfined_u:object_r:selinux_config_t tclass=dir
> > libsemanage.semanage_commit_sandbox: Error while renaming
> > /etc/selinux/refpolicy/modules/active to
> > /etc/selinux/refpolicy/modules/previous. (Permission denied).
> > semodule: Failed!
> >  
> > type=1400 audit(1288239973.335:31): avc: denied { rmdir } for pid=701
> > comm="semodule" name="modules" dev=sda ino=76184
> > scontext=root:sysadm_r:semanage_t
> > tcontext=unconfined_u:object_r:selinux_config_t tclass=dir
> 
> These directories are mislabeled.  They should be semanage_store_t, not
> selinux_config_t.
> 
> -- 
> Chris PeBenito
> Tresys Technology, LLC
> www.tresys.com | oss.tresys.com
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20110111/a6158f84/attachment.html