[refpolicy] [PATCH 1/1] Allow semodule to create symlink in semanage_store_t

[refpolicy] [PATCH 1/1] Allow semodule to create symlink in semanage_store_t

[Sven Vermeulen]

With new userspace, trying to build a SELinux policy (and load it)
fails:

~# semodule -B
libsemanage.semanage_install_active: Unable to create sybolic link from
/etc/selinux/mcs/modules/active/policy.kern to
/etc/selinux/mcs/policy/policy.28 error code 0. (Permission denied).

AVC shows a denial for the semodule command, running as semanage_t,
trying to create a lnk_file in semanage_module_t.
---
 policy/modules/system/selinuxutil.if | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index 3822072..e5ff626 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -1043,6 +1043,7 @@ interface(`seutil_manage_module_store',`
 	files_search_etc($1)
 	manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
 	manage_files_pattern($1, semanage_store_t, semanage_store_t)
+	manage_lnk_files_pattern($1, semanage_store_t, semanage_store_t)
 	filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules")
 ')
 
-- 
1.8.1.5

[refpolicy] [PATCH 1/1] Allow semodule to create symlink in semanage_store_t

[Miroslav Grepl]

Dne 4.11.2013 22:15, Sven Vermeulen napsal(a):
> With new userspace, trying to build a SELinux policy (and load it)
> fails:
>
> ~# semodule -B
> libsemanage.semanage_install_active: Unable to create sybolic link from
> /etc/selinux/mcs/modules/active/policy.kern to
> /etc/selinux/mcs/policy/policy.28 error code 0. (Permission denied).
>
> AVC shows a denial for the semodule command, running as semanage_t,
> trying to create a lnk_file in semanage_module_t.
> ---
>   policy/modules/system/selinuxutil.if | 1 +
>   1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
> index 3822072..e5ff626 100644
> --- a/policy/modules/system/selinuxutil.if
> +++ b/policy/modules/system/selinuxutil.if
> @@ -1043,6 +1043,7 @@ interface(`seutil_manage_module_store',`
>   	files_search_etc($1)
>   	manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
>   	manage_files_pattern($1, semanage_store_t, semanage_store_t)
> +	manage_lnk_files_pattern($1, semanage_store_t, semanage_store_t)
>   	filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules")
>   ')
>   
Yes, it needs to be added. We have it in Fedora.

[refpolicy] [PATCH 1/1] Allow semodule to create symlink in semanage_store_t

[Christopher J. PeBenito]

On 11/04/13 16:15, Sven Vermeulen wrote:
> With new userspace, trying to build a SELinux policy (and load it)
> fails:
> 
> ~# semodule -B
> libsemanage.semanage_install_active: Unable to create sybolic link from
> /etc/selinux/mcs/modules/active/policy.kern to
> /etc/selinux/mcs/policy/policy.28 error code 0. (Permission denied).
> 
> AVC shows a denial for the semodule command, running as semanage_t,
> trying to create a lnk_file in semanage_module_t.
> ---
>  policy/modules/system/selinuxutil.if | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
> index 3822072..e5ff626 100644
> --- a/policy/modules/system/selinuxutil.if
> +++ b/policy/modules/system/selinuxutil.if
> @@ -1043,6 +1043,7 @@ interface(`seutil_manage_module_store',`
>  	files_search_etc($1)
>  	manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
>  	manage_files_pattern($1, semanage_store_t, semanage_store_t)
> +	manage_lnk_files_pattern($1, semanage_store_t, semanage_store_t)
>  	filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules")
>  ')

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com