Re: Permission requirements for semodule?

[Steve Lawrence <slawrence@tresys.com>]

On 11/22/2014 11:46 AM, Sven Vermeulen wrote:
> Hi all
> 
> I'm working with 2.4_rc6 (with the additional patch that Steve sent to
> the list on November 19th) and noticed that some of the utilities are
> trying to access the HLL files. Currently, our policy disallows that,
> but other than that I see no issues.
> 
> For instance, when loading a policy module (pp) using "semodule -i
> /path/to/module.pp":
> 
> type=AVC msg=audit(1416673390.476:215): avc:  denied  { read } for
> pid=2729 comm="load_policy"
> path="/var/lib/selinux/mcs/active/modules/400/selocal/hll" dev=
> "sdb2" ino=6573925 scontext=staff_u:sysadm_r:load_policy_t:s0
> tcontext=staff_u:object_r:semanage_var_lib_t:s0 tclass=file
> 
> type=AVC msg=audit(1416673390.505:217): avc:  denied  { read } for
> pid=2730 comm="setfiles"
> path="/var/lib/selinux/mcs/active/modules/400/selocal/hll" dev="sdb2"
> ino=6573925 scontext=staff_u:sysadm_r:setfiles_t:s0
> tcontext=staff_u:object_r:semanage_var_lib_t:s0 tclass=file
> 
> The module is loaded and the changes are active, so I'm inclined to
> dontaudit it. But I'd rather ask up front. What are the tools trying
> to do? And, is semanage_var_lib_t the right type for the HLL files? I
> would expect it to need to be semanage_store_t?
> 

Looks like there might be a couple of problems here.

1) As you expected, files in /var/lib/selinux should be labeled
semanage_store_t. But we don't have any filecontexts/policy for those.
The semanage_migrate_store script uses setfscreatecon to set the labels
correctly, but if you run restorecon/setfiles they're going to reset to
semanage_var_lib_t. We'll work on a refpolicy patch for that today.

2) I'm not entirely sure why load_policy and setfiles want the file:read
permission on hll files. Those programs should never be reading those
files. Perhaps semodule is leaking file descriptors or something.
Looking into it.

Thanks,
- Steve