From mboxrd@z Thu Jan 1 00:00:00 1970 From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Mon, 10 Jan 2011 09:27:06 -0500 Subject: [refpolicy] two fixups for semanage_t: able to read from userhomedirs and manage policy store dir In-Reply-To: References: Message-ID: <4D2B173A.4010905@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/20/10 22:35, HarryCiao wrote: > 1. Make semanage_t able to read from user homedirs or /tmp. Otherwise it > would fail to upgrade a .pp installed in there with below error messages. > BTW, semanage_t should be able to upgrade existing pp no matter if the > MLS is enabled or not. > > root at qemu-host:/root> semodule -u selinuxutil.pp > type=1400 audit(1288862875.298:60): avc: denied { search } for pid=759 > comm="semodule" name="root" dev=sda ino=81921 > scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 > tcontext=root:object_r:user_home_dir_t:s0-s15:c0.c1023 tclass=dir > semodule: Failed on selinuxutil.pp! > root at qemu-host:/root> setenforce 0 > type=1404 audit(1288862957.386:61): enforcing=0 old_enforcing=1 > auid=4294967295 ses=4294967295 > root at qemu-host:/root> semodule -u selinuxutil.pp > type=1400 audit(1288862959.494:62): avc: denied { search } for pid=761 > comm="semodule" name="root" dev=sda ino=81921 > scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 > tcontext=root:object_r:user_home_dir_t:s0-s15:c0.c1023 tclass=dir > type=1400 audit(1288862959.498:63): avc: denied { read } for pid=761 > comm="semodule" name="selinuxutil.pp" dev=sda ino=82505 > scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 > tcontext=root:object_r:user_home_t:s0 tclass=file > type=1400 audit(1288862959.503:64): avc: denied { open } for pid=761 > comm="semodule" name="selinuxutil.pp" dev=sda ino=82505 > scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 > tcontext=root:object_r:user_home_t:s0 tclass=file > type=1400 audit(1288862959.507:65): avc: denied { getattr } for pid=761 > comm="semodule" path="/root/selinuxutil.pp" dev=sda ino=82505 > scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 > tcontext=root:object_r:user_home_t:s0 tclass=file > type=1403 audit(1288863419.918:66): policy loaded auid=4294967295 > ses=4294967295 > root at qemu-host:/root> Merged. > 2. > Make semanage_t able to manage the policy store directory, otherwise it > would fail to update an existing pp. > > root at qemu-host:/root> semodule -u vlock.pp > type=1400 audit(1288236528.567:27): avc: denied { rename } for pid=696 > comm="semodule" name="active" dev=sda ino=76175 > scontext=root:sysadm_r:semanage_t > tcontext=unconfined_u:object_r:selinux_config_t tclass=dir > libsemanage.semanage_commit_sandbox: Error while renaming > /etc/selinux/refpolicy/modules/active to > /etc/selinux/refpolicy/modules/previous. (Permission denied). > semodule: Failed! > > type=1400 audit(1288239973.335:31): avc: denied { rmdir } for pid=701 > comm="semodule" name="modules" dev=sda ino=76184 > scontext=root:sysadm_r:semanage_t > tcontext=unconfined_u:object_r:selinux_config_t tclass=dir These directories are mislabeled. They should be semanage_store_t, not selinux_config_t. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com