[refpolicy] two fixups for semanage_t: able to read from userhomedirs and manage policy store dir

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] two fixups for semanage_t: able to read from userhomedirs and manage policy store dir
@ 2010-12-21  3:35 HarryCiao
  2011-01-10 14:27 ` Christopher J. PeBenito
  0 siblings, 1 reply; 3+ messages in thread
From: HarryCiao @ 2010-12-21  3:35 UTC (permalink / raw)
  To: refpolicy


1. 
Make semanage_t able to read from user homedirs or /tmp. Otherwise it
would fail to upgrade a .pp installed in there with below error messages.
BTW, semanage_t should be able to upgrade existing pp no matter if the
MLS is enabled or not.
 
root at qemu-host:/root> semodule -u selinuxutil.pp
type=1400 audit(1288862875.298:60): avc: denied { search } for pid=759 comm="semodule" name="root" dev=sda ino=81921 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_dir_t:s0-s15:c0.c1023 tclass=dir
semodule: Failed on selinuxutil.pp!
root at qemu-host:/root> setenforce 0
type=1404 audit(1288862957.386:61): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295
root at qemu-host:/root> semodule -u selinuxutil.pp
type=1400 audit(1288862959.494:62): avc: denied { search } for pid=761 comm="semodule" name="root" dev=sda ino=81921 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_dir_t:s0-s15:c0.c1023 tclass=dir
type=1400 audit(1288862959.498:63): avc: denied { read } for pid=761 comm="semodule" name="selinuxutil.pp" dev=sda ino=82505 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=file
type=1400 audit(1288862959.503:64): avc: denied { open } for pid=761 comm="semodule" name="selinuxutil.pp" dev=sda ino=82505 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=file
type=1400 audit(1288862959.507:65): avc: denied { getattr } for pid=761 comm="semodule" path="/root/selinuxutil.pp" dev=sda ino=82505 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=file
type=1403 audit(1288863419.918:66): policy loaded auid=4294967295 ses=4294967295
root at qemu-host:/root>
 
2. 
Make semanage_t able to manage the policy store directory, otherwise it
would fail to update an existing pp.
 
root at qemu-host:/root> semodule -u vlock.pp
type=1400 audit(1288236528.567:27): avc: denied { rename } for pid=696 comm="semodule" name="active" dev=sda ino=76175 scontext=root:sysadm_r:semanage_t tcontext=unconfined_u:object_r:selinux_config_t tclass=dir
libsemanage.semanage_commit_sandbox: Error while renaming /etc/selinux/refpolicy/modules/active to /etc/selinux/refpolicy/modules/previous. (Permission denied).
semodule: Failed!
 
type=1400 audit(1288239973.335:31): avc: denied { rmdir } for pid=701 comm="semodule" name="modules" dev=sda ino=76184 scontext=root:sysadm_r:semanage_t tcontext=unconfined_u:object_r:selinux_config_t tclass=dir 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20101221/6d3c6246/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-semanage_t-read-from-userhomedirs.patch
Type: application/octet-stream
Size: 3175 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101221/6d3c6246/attachment-0002.obj 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-semanage_t-manage-policy-store.patch
Type: application/octet-stream
Size: 1697 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101221/6d3c6246/attachment-0003.obj 

^ permalink raw reply	[flat|nested] 3+ messages in thread

* [refpolicy] two fixups for semanage_t: able to read from userhomedirs and manage policy store dir
  2010-12-21  3:35 [refpolicy] two fixups for semanage_t: able to read from userhomedirs and manage policy store dir HarryCiao
@ 2011-01-10 14:27 ` Christopher J. PeBenito
  2011-01-11  3:38   ` HarryCiao
  0 siblings, 1 reply; 3+ messages in thread
From: Christopher J. PeBenito @ 2011-01-10 14:27 UTC (permalink / raw)
  To: refpolicy

On 12/20/10 22:35, HarryCiao wrote:
> 1. Make semanage_t able to read from user homedirs or /tmp. Otherwise it
> would fail to upgrade a .pp installed in there with below error messages.
> BTW, semanage_t should be able to upgrade existing pp no matter if the
> MLS is enabled or not.
>  
> root at qemu-host:/root> semodule -u selinuxutil.pp
> type=1400 audit(1288862875.298:60): avc: denied { search } for pid=759
> comm="semodule" name="root" dev=sda ino=81921
> scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023
> tcontext=root:object_r:user_home_dir_t:s0-s15:c0.c1023 tclass=dir
> semodule: Failed on selinuxutil.pp!
> root at qemu-host:/root> setenforce 0
> type=1404 audit(1288862957.386:61): enforcing=0 old_enforcing=1
> auid=4294967295 ses=4294967295
> root at qemu-host:/root> semodule -u selinuxutil.pp
> type=1400 audit(1288862959.494:62): avc: denied { search } for pid=761
> comm="semodule" name="root" dev=sda ino=81921
> scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023
> tcontext=root:object_r:user_home_dir_t:s0-s15:c0.c1023 tclass=dir
> type=1400 audit(1288862959.498:63): avc: denied { read } for pid=761
> comm="semodule" name="selinuxutil.pp" dev=sda ino=82505
> scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023
> tcontext=root:object_r:user_home_t:s0 tclass=file
> type=1400 audit(1288862959.503:64): avc: denied { open } for pid=761
> comm="semodule" name="selinuxutil.pp" dev=sda ino=82505
> scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023
> tcontext=root:object_r:user_home_t:s0 tclass=file
> type=1400 audit(1288862959.507:65): avc: denied { getattr } for pid=761
> comm="semodule" path="/root/selinuxutil.pp" dev=sda ino=82505
> scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023
> tcontext=root:object_r:user_home_t:s0 tclass=file
> type=1403 audit(1288863419.918:66): policy loaded auid=4294967295
> ses=4294967295
> root at qemu-host:/root>

Merged.

> 2. 
> Make semanage_t able to manage the policy store directory, otherwise it
> would fail to update an existing pp.
>  
> root at qemu-host:/root> semodule -u vlock.pp
> type=1400 audit(1288236528.567:27): avc: denied { rename } for pid=696
> comm="semodule" name="active" dev=sda ino=76175
> scontext=root:sysadm_r:semanage_t
> tcontext=unconfined_u:object_r:selinux_config_t tclass=dir
> libsemanage.semanage_commit_sandbox: Error while renaming
> /etc/selinux/refpolicy/modules/active to
> /etc/selinux/refpolicy/modules/previous. (Permission denied).
> semodule: Failed!
>  
> type=1400 audit(1288239973.335:31): avc: denied { rmdir } for pid=701
> comm="semodule" name="modules" dev=sda ino=76184
> scontext=root:sysadm_r:semanage_t
> tcontext=unconfined_u:object_r:selinux_config_t tclass=dir

These directories are mislabeled.  They should be semanage_store_t, not
selinux_config_t.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 3+ messages in thread

* [refpolicy] two fixups for semanage_t: able to read from userhomedirs and manage policy store dir
  2011-01-10 14:27 ` Christopher J. PeBenito
@ 2011-01-11  3:38   ` HarryCiao
  0 siblings, 0 replies; 3+ messages in thread
From: HarryCiao @ 2011-01-11  3:38 UTC (permalink / raw)
  To: refpolicy


Thanks Chris! 

I really should have been more careful to find the policy store not properly labeled as semanage_store_t!

Best regards,
Harry

> Date: Mon, 10 Jan 2011 09:27:06 -0500
> From: cpebenito at tresys.com
> To: harrytaurus2002 at hotmail.com
> CC: refpolicy at oss.tresys.com
> Subject: Re: two fixups for semanage_t: able to read from userhomedirs and manage policy store dir
> 
> On 12/20/10 22:35, HarryCiao wrote:
> > 1. Make semanage_t able to read from user homedirs or /tmp. Otherwise it
> > would fail to upgrade a .pp installed in there with below error messages.
> > BTW, semanage_t should be able to upgrade existing pp no matter if the
> > MLS is enabled or not.
> >  
> > root at qemu-host:/root> semodule -u selinuxutil.pp
> > type=1400 audit(1288862875.298:60): avc: denied { search } for pid=759
> > comm="semodule" name="root" dev=sda ino=81921
> > scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023
> > tcontext=root:object_r:user_home_dir_t:s0-s15:c0.c1023 tclass=dir
> > semodule: Failed on selinuxutil.pp!
> > root at qemu-host:/root> setenforce 0
> > type=1404 audit(1288862957.386:61): enforcing=0 old_enforcing=1
> > auid=4294967295 ses=4294967295
> > root at qemu-host:/root> semodule -u selinuxutil.pp
> > type=1400 audit(1288862959.494:62): avc: denied { search } for pid=761
> > comm="semodule" name="root" dev=sda ino=81921
> > scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023
> > tcontext=root:object_r:user_home_dir_t:s0-s15:c0.c1023 tclass=dir
> > type=1400 audit(1288862959.498:63): avc: denied { read } for pid=761
> > comm="semodule" name="selinuxutil.pp" dev=sda ino=82505
> > scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023
> > tcontext=root:object_r:user_home_t:s0 tclass=file
> > type=1400 audit(1288862959.503:64): avc: denied { open } for pid=761
> > comm="semodule" name="selinuxutil.pp" dev=sda ino=82505
> > scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023
> > tcontext=root:object_r:user_home_t:s0 tclass=file
> > type=1400 audit(1288862959.507:65): avc: denied { getattr } for pid=761
> > comm="semodule" path="/root/selinuxutil.pp" dev=sda ino=82505
> > scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023
> > tcontext=root:object_r:user_home_t:s0 tclass=file
> > type=1403 audit(1288863419.918:66): policy loaded auid=4294967295
> > ses=4294967295
> > root at qemu-host:/root>
> 
> Merged.
> 
> > 2. 
> > Make semanage_t able to manage the policy store directory, otherwise it
> > would fail to update an existing pp.
> >  
> > root at qemu-host:/root> semodule -u vlock.pp
> > type=1400 audit(1288236528.567:27): avc: denied { rename } for pid=696
> > comm="semodule" name="active" dev=sda ino=76175
> > scontext=root:sysadm_r:semanage_t
> > tcontext=unconfined_u:object_r:selinux_config_t tclass=dir
> > libsemanage.semanage_commit_sandbox: Error while renaming
> > /etc/selinux/refpolicy/modules/active to
> > /etc/selinux/refpolicy/modules/previous. (Permission denied).
> > semodule: Failed!
> >  
> > type=1400 audit(1288239973.335:31): avc: denied { rmdir } for pid=701
> > comm="semodule" name="modules" dev=sda ino=76184
> > scontext=root:sysadm_r:semanage_t
> > tcontext=unconfined_u:object_r:selinux_config_t tclass=dir
> 
> These directories are mislabeled.  They should be semanage_store_t, not
> selinux_config_t.
> 
> -- 
> Chris PeBenito
> Tresys Technology, LLC
> www.tresys.com | oss.tresys.com
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20110111/a6158f84/attachment.html 

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2011-01-11  3:38 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-12-21  3:35 [refpolicy] two fixups for semanage_t: able to read from userhomedirs and manage policy store dir HarryCiao
2011-01-10 14:27 ` Christopher J. PeBenito
2011-01-11  3:38   ` HarryCiao

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.