Will you provide a patch to the reference policy to allow semanage_t
to write into all kinds of directories?
I personally see little value in this patch, as everything is readily
accessible on the file system. Users who want to extract policies with
semodule will now encounter policy issues where semanage_t is not
allowed to write into the current working directory (depending where
the user is at):
allow semanage_t tmp_t : dir { ioctl read write getattr lock
add_name remove_name search open } ;
allow semanage_t selinux_config_t : dir { ioctl read write getattr
lock add_name remove_name search open } ;
allow semanage_t default_context_t : dir { ioctl read write getattr
lock add_name remove_name search open } ;
allow semanage_t file_context_t : dir { ioctl read write getattr
lock add_name remove_name search open } ;
allow semanage_t semanage_store_t : dir { ioctl read write create
getattr setattr lock unlink link rename add_name remove_name reparent
search rmdir open } ;
allow semanage_t semanage_tmp_t : dir { ioctl read write create
getattr setattr lock unlink link rename add_name remove_name reparent
search rmdir open } ;
allow semanage_t policy_config_t : dir { ioctl read write getattr
lock add_name remove_name search open } ;
Wkr,
Sven Vermeulen
On Thu, Aug 6, 2015 at 4:30 PM, Yuli Khodorkovskiy
<ykhodorkovskiy@xxxxxxxxxx> wrote:
> This patchset adds support for extracting modules from the module store as hll
> or cil to the current working directory. This also adds a function to the
> libsemanage API to extract modules and fixes a memory leak discovered while
> implementing this functionality.
>
> Changes from v1:
> - Add fallback behavior if a module does not exist at the default priority when
> extracting with semodule.
>
> Yuli Khodorkovskiy (3):
> libsemanage: Add ability to extract modules
> libsemanage: Fix null pointer dereference in
> semanage_module_key_destroy
> policycoreutils/semodule: update semodule to allow extracting modules
>
> libsemanage/include/semanage/modules.h | 17 ++
> libsemanage/src/direct_api.c | 310 ++++++++++++++++++++++-----------
> libsemanage/src/libsemanage.map | 1 +
> libsemanage/src/modules.c | 23 ++-
> libsemanage/src/policy.h | 8 +
> libsemanage/src/semanageswig_python.i | 5 +
> policycoreutils/semodule/semodule.8 | 14 ++
> policycoreutils/semodule/semodule.c | 146 +++++++++++++++-
> 8 files changed, 416 insertions(+), 108 deletions(-)
>
> --
> 1.9.3
>
> _______________________________________________
> Selinux mailing list
> Selinux@xxxxxxxxxxxxx
> To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
> To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
