From mboxrd@z Thu Jan 1 00:00:00 1970 From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Fri, 27 Sep 2013 16:23:41 -0400 Subject: [refpolicy] [PATCH] selinuxutil: semanage create, rmdir, rename directories tmp, active, previous in /etc/selinux/default/modules/ when i use semanage fcontext -a ... In-Reply-To: <1380312364.23967.2.camel@d30> References: <1380274015-28055-1-git-send-email-dominick.grift@gmail.com> <5245E3D5.8070309@tresys.com> <1380312364.23967.2.camel@d30> Message-ID: <5245E94D.401@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri 27 Sep 2013 04:06:04 PM EDT, Dominick Grift wrote: > On Fri, 2013-09-27 at 16:00 -0400, Christopher J. PeBenito wrote: >> On Fri 27 Sep 2013 05:26:55 AM EDT, Dominick Grift wrote: >>> >>> Signed-off-by: Dominick Grift >>> diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te >>> index ec01d0b..246fa97 100644 >>> --- a/policy/modules/system/selinuxutil.te >>> +++ b/policy/modules/system/selinuxutil.te >>> @@ -492,6 +492,7 @@ >>> seutil_libselinux_linked(semanage_t) >>> seutil_manage_file_contexts(semanage_t) >>> seutil_manage_config(semanage_t) >>> +seutil_manage_config_dirs(semanage_t) >>> seutil_run_setfiles(semanage_t, semanage_roles) >>> seutil_run_loadpolicy(semanage_t, semanage_roles) >>> seutil_manage_bin_policy(semanage_t) >> >> Sounds like mislabeled files. Everything under /etc/selinux/*/modules >> should be semanage_store_t. > > Not really its create a tmp dir under /etc/selinux/default/modules > (inheriting the type of the parent) then it renames, and removes that > dir. > > You want me to tell selinux that semanage_t creates that tmp dir with a > type transition from selinux_config_t to semanage_store_t? That seems like a better choice. Alternatively we can look at making the fc change to: /etc/selinux/([^/]*/)?modules(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) but that may have a broader impact. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com