* [refpolicy] seutil_manage_module_store interface missing filetrans
@ 2014-01-14 10:57 Laurent Bigonville
2014-01-14 13:51 ` Christopher J. PeBenito
0 siblings, 1 reply; 4+ messages in thread
From: Laurent Bigonville @ 2014-01-14 10:57 UTC (permalink / raw)
To: refpolicy
Hi,
I've noticed several days ago that semodules operations where failing
in enforcing mode. When adding a module:
libsemanage.semanage_make_sandbox: Could not copy files to sandbox /etc/selinux/default/modules/tmp. (Permission denied).
Russel has proposed a patch to fix this this (side note:Russel, I think this
should go in the seutil_manage_module_store interface instead of
the .te):
filetrans_pattern(semanage_t, selinux_config_t, semanage_store_t, dir, "tmp")
Looking at the Fedora policy, they also have:
filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "active")
filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "previous")
So I'll propose a patch to add these 3 rules.
But seutil_manage_module_store also contains:
filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules")
This seems bogus to me if I'm looking at the .fc,
the /etc/selinux/default/modules directory is labeled as
selinux_config_t and not semanage_store_t.
And /etc/selinux/default/modules/active/modules will inherit the proper
context from the parent.
So I'm not really sure this to which "modules" directory this was
referring to (I guess the toplevel one), and if the fcontext should be
modified or this rule be dropped?
Cheers,
Laurent Bigonville
^ permalink raw reply [flat|nested] 4+ messages in thread
* [refpolicy] seutil_manage_module_store interface missing filetrans
2014-01-14 10:57 [refpolicy] seutil_manage_module_store interface missing filetrans Laurent Bigonville
@ 2014-01-14 13:51 ` Christopher J. PeBenito
2014-01-14 13:59 ` Laurent Bigonville
0 siblings, 1 reply; 4+ messages in thread
From: Christopher J. PeBenito @ 2014-01-14 13:51 UTC (permalink / raw)
To: refpolicy
On 01/14/14 05:57, Laurent Bigonville wrote:
> Hi,
>
> I've noticed several days ago that semodules operations where failing
> in enforcing mode. When adding a module:
>
> libsemanage.semanage_make_sandbox: Could not copy files to sandbox /etc/selinux/default/modules/tmp. (Permission denied).
>
> Russel has proposed a patch to fix this this (side note:Russel, I think this
> should go in the seutil_manage_module_store interface instead of
> the .te):
>
> filetrans_pattern(semanage_t, selinux_config_t, semanage_store_t, dir, "tmp")
>
> Looking at the Fedora policy, they also have:
>
> filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "active")
> filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "previous")
>
> So I'll propose a patch to add these 3 rules.
>
> But seutil_manage_module_store also contains:
>
> filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules")
>
> This seems bogus to me if I'm looking at the .fc,
> the /etc/selinux/default/modules directory is labeled as
> selinux_config_t and not semanage_store_t.
> And /etc/selinux/default/modules/active/modules will inherit the proper
> context from the parent.
>
> So I'm not really sure this to which "modules" directory this was
> referring to (I guess the toplevel one), and if the fcontext should be
> modified or this rule be dropped?
It should all be simplified, as everything under /etc/selinux/*/modules should be semanage_store_t, except for the two .LOCK files. Then we can probably drop the filetrans out of seutil_manage_module_store(). My guess is that rule found its way there due to seutil_manage_module_store(semanage_t). On further consideration, I think only semanage_t should be creating that directory[1], so it should be the only domain with that filetrans.
[1] package managers too, but they should work correclty since they matchpathcon/setfscreate on the stuff they install
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 4+ messages in thread
* [refpolicy] seutil_manage_module_store interface missing filetrans
2014-01-14 13:51 ` Christopher J. PeBenito
@ 2014-01-14 13:59 ` Laurent Bigonville
2014-01-14 14:05 ` Christopher J. PeBenito
0 siblings, 1 reply; 4+ messages in thread
From: Laurent Bigonville @ 2014-01-14 13:59 UTC (permalink / raw)
To: refpolicy
Le Tue, 14 Jan 2014 08:51:13 -0500,
"Christopher J. PeBenito" <cpebenito@tresys.com> a ?crit :
> On 01/14/14 05:57, Laurent Bigonville wrote:
> > Hi,
> >
> > I've noticed several days ago that semodules operations where
> > failing in enforcing mode. When adding a module:
> >
> > libsemanage.semanage_make_sandbox: Could not copy files to
> > sandbox /etc/selinux/default/modules/tmp. (Permission denied).
> >
> > Russel has proposed a patch to fix this this (side note:Russel, I
> > think this should go in the seutil_manage_module_store interface
> > instead of the .te):
> >
> > filetrans_pattern(semanage_t, selinux_config_t, semanage_store_t,
> > dir, "tmp")
> >
> > Looking at the Fedora policy, they also have:
> >
> > filetrans_pattern($1, selinux_config_t, semanage_store_t, dir,
> > "active") filetrans_pattern($1, selinux_config_t, semanage_store_t,
> > dir, "previous")
> >
> > So I'll propose a patch to add these 3 rules.
> >
> > But seutil_manage_module_store also contains:
> >
> > filetrans_pattern($1, selinux_config_t, semanage_store_t, dir,
> > "modules")
> >
> > This seems bogus to me if I'm looking at the .fc,
> > the /etc/selinux/default/modules directory is labeled as
> > selinux_config_t and not semanage_store_t.
> > And /etc/selinux/default/modules/active/modules will inherit the
> > proper context from the parent.
> >
> > So I'm not really sure this to which "modules" directory this was
> > referring to (I guess the toplevel one), and if the fcontext should
> > be modified or this rule be dropped?
>
> It should all be simplified, as everything
> under /etc/selinux/*/modules should be semanage_store_t, except for
> the two .LOCK files. Then we can probably drop the filetrans out of
> seutil_manage_module_store(). My guess is that rule found its way
> there due to seutil_manage_module_store(semanage_t). On further
> consideration, I think only semanage_t should be creating that
> directory[1], so it should be the only domain with that filetrans.
So something like:
-/etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/selinux/([^/]*/)?modules(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
And the filetrans currently in the policy (for "modules" directory) can
stay?
^ permalink raw reply [flat|nested] 4+ messages in thread
* [refpolicy] seutil_manage_module_store interface missing filetrans
2014-01-14 13:59 ` Laurent Bigonville
@ 2014-01-14 14:05 ` Christopher J. PeBenito
0 siblings, 0 replies; 4+ messages in thread
From: Christopher J. PeBenito @ 2014-01-14 14:05 UTC (permalink / raw)
To: refpolicy
On Tue Jan 14 08:59:58 2014, Laurent Bigonville wrote:
> Le Tue, 14 Jan 2014 08:51:13 -0500,
> "Christopher J. PeBenito" <cpebenito@tresys.com> a ?crit :
>
>> On 01/14/14 05:57, Laurent Bigonville wrote:
>>> Hi,
>>>
>>> I've noticed several days ago that semodules operations where
>>> failing in enforcing mode. When adding a module:
>>>
>>> libsemanage.semanage_make_sandbox: Could not copy files to
>>> sandbox /etc/selinux/default/modules/tmp. (Permission denied).
>>>
>>> Russel has proposed a patch to fix this this (side note:Russel, I
>>> think this should go in the seutil_manage_module_store interface
>>> instead of the .te):
>>>
>>> filetrans_pattern(semanage_t, selinux_config_t, semanage_store_t,
>>> dir, "tmp")
>>>
>>> Looking at the Fedora policy, they also have:
>>>
>>> filetrans_pattern($1, selinux_config_t, semanage_store_t, dir,
>>> "active") filetrans_pattern($1, selinux_config_t, semanage_store_t,
>>> dir, "previous")
>>>
>>> So I'll propose a patch to add these 3 rules.
>>>
>>> But seutil_manage_module_store also contains:
>>>
>>> filetrans_pattern($1, selinux_config_t, semanage_store_t, dir,
>>> "modules")
>>>
>>> This seems bogus to me if I'm looking at the .fc,
>>> the /etc/selinux/default/modules directory is labeled as
>>> selinux_config_t and not semanage_store_t.
>>> And /etc/selinux/default/modules/active/modules will inherit the
>>> proper context from the parent.
>>>
>>> So I'm not really sure this to which "modules" directory this was
>>> referring to (I guess the toplevel one), and if the fcontext should
>>> be modified or this rule be dropped?
>>
>> It should all be simplified, as everything
>> under /etc/selinux/*/modules should be semanage_store_t, except for
>> the two .LOCK files. Then we can probably drop the filetrans out of
>> seutil_manage_module_store(). My guess is that rule found its way
>> there due to seutil_manage_module_store(semanage_t). On further
>> consideration, I think only semanage_t should be creating that
>> directory[1], so it should be the only domain with that filetrans.
>
> So something like:
>
> -/etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
> +/etc/selinux/([^/]*/)?modules(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
>
> And the filetrans currently in the policy (for "modules" directory) can
> stay?
Correct on the fc, but I'd move the filetrans out of the interface back
into the .te, for semanage_t.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2014-01-14 14:05 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-01-14 10:57 [refpolicy] seutil_manage_module_store interface missing filetrans Laurent Bigonville
2014-01-14 13:51 ` Christopher J. PeBenito
2014-01-14 13:59 ` Laurent Bigonville
2014-01-14 14:05 ` Christopher J. PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.