From mboxrd@z Thu Jan  1 00:00:00 1970
From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 17 Jan 2014 08:55:59 -0500
Subject: [refpolicy] [PATCH] Label /etc/selinux/([^/]*/)?modules(/.*)?
 as semanage_store_t
In-Reply-To: <1389808979-4073-1-git-send-email-bigon@debian.org>
References: <1389808979-4073-1-git-send-email-bigon@debian.org>
Message-ID: <52D9366F.4010206@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 1/15/2014 1:02 PM, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
> 
> Move the filetrans_patern out of the seutil_manage_module_store
> interface as only semanage_t should be creating this directory
> ---
>  policy/modules/system/selinuxutil.fc | 2 +-
>  policy/modules/system/selinuxutil.if | 1 -
>  policy/modules/system/selinuxutil.te | 2 ++
>  3 files changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
> index d43f3b1..ec19d63 100644
> --- a/policy/modules/system/selinuxutil.fc
> +++ b/policy/modules/system/selinuxutil.fc
> @@ -9,7 +9,7 @@
>  /etc/selinux/([^/]*/)?policy(/.*)?	gen_context(system_u:object_r:policy_config_t,mls_systemhigh)
>  /etc/selinux/([^/]*/)?setrans\.conf --	gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
>  /etc/selinux/([^/]*/)?seusers	--	gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
> -/etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
> +/etc/selinux/([^/]*/)?modules(/.*)?	gen_context(system_u:object_r:semanage_store_t,s0)
>  /etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
>  /etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
>  /etc/selinux/([^/]*/)?users(/.*)? --	gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
> diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
> index e5ff626..bee06f4 100644
> --- a/policy/modules/system/selinuxutil.if
> +++ b/policy/modules/system/selinuxutil.if
> @@ -1044,7 +1044,6 @@ interface(`seutil_manage_module_store',`
>  	manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
>  	manage_files_pattern($1, semanage_store_t, semanage_store_t)
>  	manage_lnk_files_pattern($1, semanage_store_t, semanage_store_t)
> -	filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules")
>  ')
>  
>  #######################################
> diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
> index 551ac96..cb5610f 100644
> --- a/policy/modules/system/selinuxutil.te
> +++ b/policy/modules/system/selinuxutil.te
> @@ -448,6 +448,8 @@ allow semanage_t self:fifo_file rw_fifo_file_perms;
>  
>  allow semanage_t policy_config_t:file rw_file_perms;
>  
> +filetrans_pattern(semanage_t, selinux_config_t, semanage_store_t, dir, "modules")
> +
>  allow semanage_t semanage_tmp_t:dir manage_dir_perms;
>  allow semanage_t semanage_tmp_t:file manage_file_perms;
>  files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
 
Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com