[refpolicy] [PATCH] Label /etc/selinux/([^/]*/)?modules(/.*)? as semanage_store

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] [PATCH] Label /etc/selinux/([^/]*/)?modules(/.*)? as semanage_store_t
@ 2014-01-15 18:02 Laurent Bigonville
  2014-01-17 13:55 ` Christopher J. PeBenito
  0 siblings, 1 reply; 2+ messages in thread
From: Laurent Bigonville @ 2014-01-15 18:02 UTC (permalink / raw)
  To: refpolicy

From: Laurent Bigonville <bigon@bigon.be>

Move the filetrans_patern out of the seutil_manage_module_store
interface as only semanage_t should be creating this directory
---
 policy/modules/system/selinuxutil.fc | 2 +-
 policy/modules/system/selinuxutil.if | 1 -
 policy/modules/system/selinuxutil.te | 2 ++
 3 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
index d43f3b1..ec19d63 100644
--- a/policy/modules/system/selinuxutil.fc
+++ b/policy/modules/system/selinuxutil.fc
@@ -9,7 +9,7 @@
 /etc/selinux/([^/]*/)?policy(/.*)?	gen_context(system_u:object_r:policy_config_t,mls_systemhigh)
 /etc/selinux/([^/]*/)?setrans\.conf --	gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
 /etc/selinux/([^/]*/)?seusers	--	gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
-/etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/selinux/([^/]*/)?modules(/.*)?	gen_context(system_u:object_r:semanage_store_t,s0)
 /etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
 /etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
 /etc/selinux/([^/]*/)?users(/.*)? --	gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index e5ff626..bee06f4 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -1044,7 +1044,6 @@ interface(`seutil_manage_module_store',`
 	manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
 	manage_files_pattern($1, semanage_store_t, semanage_store_t)
 	manage_lnk_files_pattern($1, semanage_store_t, semanage_store_t)
-	filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules")
 ')
 
 #######################################
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 551ac96..cb5610f 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -448,6 +448,8 @@ allow semanage_t self:fifo_file rw_fifo_file_perms;
 
 allow semanage_t policy_config_t:file rw_file_perms;
 
+filetrans_pattern(semanage_t, selinux_config_t, semanage_store_t, dir, "modules")
+
 allow semanage_t semanage_tmp_t:dir manage_dir_perms;
 allow semanage_t semanage_tmp_t:file manage_file_perms;
 files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
-- 
1.8.5.2

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* [refpolicy] [PATCH] Label /etc/selinux/([^/]*/)?modules(/.*)? as semanage_store_t
  2014-01-15 18:02 [refpolicy] [PATCH] Label /etc/selinux/([^/]*/)?modules(/.*)? as semanage_store_t Laurent Bigonville
@ 2014-01-17 13:55 ` Christopher J. PeBenito
  0 siblings, 0 replies; 2+ messages in thread
From: Christopher J. PeBenito @ 2014-01-17 13:55 UTC (permalink / raw)
  To: refpolicy

On 1/15/2014 1:02 PM, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
> 
> Move the filetrans_patern out of the seutil_manage_module_store
> interface as only semanage_t should be creating this directory
> ---
>  policy/modules/system/selinuxutil.fc | 2 +-
>  policy/modules/system/selinuxutil.if | 1 -
>  policy/modules/system/selinuxutil.te | 2 ++
>  3 files changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
> index d43f3b1..ec19d63 100644
> --- a/policy/modules/system/selinuxutil.fc
> +++ b/policy/modules/system/selinuxutil.fc
> @@ -9,7 +9,7 @@
>  /etc/selinux/([^/]*/)?policy(/.*)?	gen_context(system_u:object_r:policy_config_t,mls_systemhigh)
>  /etc/selinux/([^/]*/)?setrans\.conf --	gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
>  /etc/selinux/([^/]*/)?seusers	--	gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
> -/etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
> +/etc/selinux/([^/]*/)?modules(/.*)?	gen_context(system_u:object_r:semanage_store_t,s0)
>  /etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
>  /etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
>  /etc/selinux/([^/]*/)?users(/.*)? --	gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
> diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
> index e5ff626..bee06f4 100644
> --- a/policy/modules/system/selinuxutil.if
> +++ b/policy/modules/system/selinuxutil.if
> @@ -1044,7 +1044,6 @@ interface(`seutil_manage_module_store',`
>  	manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
>  	manage_files_pattern($1, semanage_store_t, semanage_store_t)
>  	manage_lnk_files_pattern($1, semanage_store_t, semanage_store_t)
> -	filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules")
>  ')
>  
>  #######################################
> diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
> index 551ac96..cb5610f 100644
> --- a/policy/modules/system/selinuxutil.te
> +++ b/policy/modules/system/selinuxutil.te
> @@ -448,6 +448,8 @@ allow semanage_t self:fifo_file rw_fifo_file_perms;
>  
>  allow semanage_t policy_config_t:file rw_file_perms;
>  
> +filetrans_pattern(semanage_t, selinux_config_t, semanage_store_t, dir, "modules")
> +
>  allow semanage_t semanage_tmp_t:dir manage_dir_perms;
>  allow semanage_t semanage_tmp_t:file manage_file_perms;
>  files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
 
Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2014-01-17 13:55 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-01-15 18:02 [refpolicy] [PATCH] Label /etc/selinux/([^/]*/)?modules(/.*)? as semanage_store_t Laurent Bigonville
2014-01-17 13:55 ` Christopher J. PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.