* [refpolicy] [PATCH] Add files_base_type attribute to policy for RHEL 7.x
@ 2018-04-12 1:09 Dave Sugar
2018-04-12 22:55 ` Chris PeBenito
0 siblings, 1 reply; 2+ messages in thread
From: Dave Sugar @ 2018-04-12 1:09 UTC (permalink / raw)
To: refpolicy
On RHEL 7.x I get the following traceback when using audit2allow.
It turns out Redhat checks for the existence of attribute 'base_file_type'.
Adding this attribute in order for the policycoreutil to function properly.
Traceback (most recent call last):
File "/bin/audit2allow", line 365, in <module>
app.main()
File "/bin/audit2allow", line 351, in main
self.__read_input()
File "/bin/audit2allow", line 129, in __read_input
parser = audit.AuditParser(last_load_only=self.__options.lastreload)
File "/usr/lib64/python2.7/site-packages/sepolgen/audit.py", line 358, in __init__
self.__initialize()
File "/usr/lib64/python2.7/site-packages/sepolgen/audit.py", line 370, in __initialize
self.__store_base_types()
File "/usr/lib64/python2.7/site-packages/sepolgen/audit.py", line 549, in __store_base_types
self.base_types = sepolicy.get_types_from_attribute("base_file_type")
File "/usr/lib64/python2.7/site-packages/sepolicy/__init__.py", line 110, in get_types_from_attribute
return info(ATTRIBUTE, attribute)[0]["types"]
File "/usr/lib64/python2.7/site-packages/sepolicy/__init__.py", line 53, in info
dict_list = _policy.info(setype, name)
RuntimeError: Invalid argument
Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
policy/modules/kernel/domain.te | 6 ++++++
policy/modules/kernel/files.if | 21 +++++++++++++++++++++
policy/modules/kernel/files.te | 5 +++++
3 files changed, 32 insertions(+)
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index e44e3444..0ca26d5d 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -110,6 +110,12 @@ term_use_controlling_term(domain)
# list the root directory
files_list_root(domain)
+ifdef(`distro_redhat',`
+ # allow all domains to search through base_file_type directory, since users
+ # sometimes place labels within these directories. (samba_share_t) for example.
+ files_search_base_file_types(domain)
+')
+
ifdef(`hide_broken_symptoms',`
# This check is in the general socket
# listen code, before protocol-specific
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index e9bc8dd9..68b4af2d 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -7049,3 +7049,24 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
+
+#######################################
+## <summary>
+## Search all base file dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`files_search_base_file_types',`
+ ifdef(`distro_redhat',`
+ gen_require(`
+ attribute base_file_type;
+ ')
+
+ allow $1 base_file_type:dir search_dir_perms;
+ ')
+')
+
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index f7cf321f..9dd721ed 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -5,6 +5,11 @@ policy_module(files, 1.25.1)
# Declarations
#
+
+ifdef(`distro_redhat',`
+ attribute base_file_type;
+')
+
attribute file_type;
attribute files_unconfined_type;
attribute lockfile;
--
2.14.3
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [refpolicy] [PATCH] Add files_base_type attribute to policy for RHEL 7.x
2018-04-12 1:09 [refpolicy] [PATCH] Add files_base_type attribute to policy for RHEL 7.x Dave Sugar
@ 2018-04-12 22:55 ` Chris PeBenito
0 siblings, 0 replies; 2+ messages in thread
From: Chris PeBenito @ 2018-04-12 22:55 UTC (permalink / raw)
To: refpolicy
On 04/11/2018 09:09 PM, Dave Sugar via refpolicy wrote:
> On RHEL 7.x I get the following traceback when using audit2allow.
> It turns out Redhat checks for the existence of attribute 'base_file_type'.
> Adding this attribute in order for the policycoreutil to function properly.
>
> Traceback (most recent call last):
> File "/bin/audit2allow", line 365, in <module>
> app.main()
> File "/bin/audit2allow", line 351, in main
> self.__read_input()
> File "/bin/audit2allow", line 129, in __read_input
> parser = audit.AuditParser(last_load_only=self.__options.lastreload)
> File "/usr/lib64/python2.7/site-packages/sepolgen/audit.py", line 358, in __init__
> self.__initialize()
> File "/usr/lib64/python2.7/site-packages/sepolgen/audit.py", line 370, in __initialize
> self.__store_base_types()
> File "/usr/lib64/python2.7/site-packages/sepolgen/audit.py", line 549, in __store_base_types
> self.base_types = sepolicy.get_types_from_attribute("base_file_type")
> File "/usr/lib64/python2.7/site-packages/sepolicy/__init__.py", line 110, in get_types_from_attribute
> return info(ATTRIBUTE, attribute)[0]["types"]
> File "/usr/lib64/python2.7/site-packages/sepolicy/__init__.py", line 53, in info
> dict_list = _policy.info(setype, name)
> RuntimeError: Invalid argument
This is a bug in audit2allow. It shouldn't be hard-coding policy symbols.
NAK
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
> policy/modules/kernel/domain.te | 6 ++++++
> policy/modules/kernel/files.if | 21 +++++++++++++++++++++
> policy/modules/kernel/files.te | 5 +++++
> 3 files changed, 32 insertions(+)
>
> diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
> index e44e3444..0ca26d5d 100644
> --- a/policy/modules/kernel/domain.te
> +++ b/policy/modules/kernel/domain.te
> @@ -110,6 +110,12 @@ term_use_controlling_term(domain)
> # list the root directory
> files_list_root(domain)
>
> +ifdef(`distro_redhat',`
> + # allow all domains to search through base_file_type directory, since users
> + # sometimes place labels within these directories. (samba_share_t) for example.
> + files_search_base_file_types(domain)
> +')
> +
> ifdef(`hide_broken_symptoms',`
> # This check is in the general socket
> # listen code, before protocol-specific
> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
> index e9bc8dd9..68b4af2d 100644
> --- a/policy/modules/kernel/files.if
> +++ b/policy/modules/kernel/files.if
> @@ -7049,3 +7049,24 @@ interface(`files_unconfined',`
>
> typeattribute $1 files_unconfined_type;
> ')
> +
> +#######################################
> +## <summary>
> +## Search all base file dirs.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access
> +## </summary>
> +## </param>
> +#
> +interface(`files_search_base_file_types',`
> + ifdef(`distro_redhat',`
> + gen_require(`
> + attribute base_file_type;
> + ')
> +
> + allow $1 base_file_type:dir search_dir_perms;
> + ')
> +')
> +
> diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
> index f7cf321f..9dd721ed 100644
> --- a/policy/modules/kernel/files.te
> +++ b/policy/modules/kernel/files.te
> @@ -5,6 +5,11 @@ policy_module(files, 1.25.1)
> # Declarations
> #
>
> +
> +ifdef(`distro_redhat',`
> + attribute base_file_type;
> +')
> +
> attribute file_type;
> attribute files_unconfined_type;
> attribute lockfile;
>
--
Chris PeBenito
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-04-12 22:55 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-04-12 1:09 [refpolicy] [PATCH] Add files_base_type attribute to policy for RHEL 7.x Dave Sugar
2018-04-12 22:55 ` Chris PeBenito
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).