On 08/07/2015 04:09 AM, Sven Vermeulen wrote:
> Will you provide a patch to the reference policy to allow semanage_t
> to write into all kinds of directories?
>
> I personally see little value in this patch, as everything is readily
> accessible on the file system. Users who want to extract policies with
> semodule will now encounter policy issues where semanage_t is not
> allowed to write into the current working directory (depending where
> the user is at):
Directly accessing files under /var/lib/selinux is not very
user-friendly or maintainable, as how the files are arranged and stored
is an implementation detail of libsemanage.
The change allows users a new workflow in which they can readily extract
a module (whether locally created or distro-provided), modify it, and
then re-install it (and automatically have their modified version
installed at higher priority, and thereby not clobber the
distro-provided one or be clobbered by subsequent policy updates.
semanage is already given userdom_read_user_home_content_files() and
userdom_read_user_tmp_files() in order to support semodule -i from
either of those locations, so broadening that to userdom_manage doesn't
seem too onerous.
Also, the situation doesn't seem terribly different from the already
existing semanage export facility, which takes a -f output_file option.
>
> allow semanage_t tmp_t : dir { ioctl read write getattr lock
> add_name remove_name search open } ;
> allow semanage_t selinux_config_t : dir { ioctl read write getattr
> lock add_name remove_name search open } ;
> allow semanage_t default_context_t : dir { ioctl read write getattr
> lock add_name remove_name search open } ;
> allow semanage_t file_context_t : dir { ioctl read write getattr
> lock add_name remove_name search open } ;
> allow semanage_t semanage_store_t : dir { ioctl read write create
> getattr setattr lock unlink link rename add_name remove_name reparent
> search rmdir open } ;
> allow semanage_t semanage_tmp_t : dir { ioctl read write create
> getattr setattr lock unlink link rename add_name remove_name reparent
> search rmdir open } ;
> allow semanage_t policy_config_t : dir { ioctl read write getattr
> lock add_name remove_name search open } ;
>
> Wkr,
> Sven Vermeulen
>
> On Thu, Aug 6, 2015 at 4:30 PM, Yuli Khodorkovskiy
> <ykhodorkovskiy@xxxxxxxxxx> wrote:
>> This patchset adds support for extracting modules from the module store as hll
>> or cil to the current working directory. This also adds a function to the
>> libsemanage API to extract modules and fixes a memory leak discovered while
>> implementing this functionality.
>>
>> Changes from v1:
>> - Add fallback behavior if a module does not exist at the default priority when
>> extracting with semodule.
>>
>> Yuli Khodorkovskiy (3):
>> libsemanage: Add ability to extract modules
>> libsemanage: Fix null pointer dereference in
>> semanage_module_key_destroy
>> policycoreutils/semodule: update semodule to allow extracting modules
>>
>> libsemanage/include/semanage/modules.h | 17 ++
>> libsemanage/src/direct_api.c | 310 ++++++++++++++++++++++-----------
>> libsemanage/src/libsemanage.map | 1 +
>> libsemanage/src/modules.c | 23 ++-
>> libsemanage/src/policy.h | 8 +
>> libsemanage/src/semanageswig_python.i | 5 +
>> policycoreutils/semodule/semodule.8 | 14 ++
>> policycoreutils/semodule/semodule.c | 146 +++++++++++++++-
>> 8 files changed, 416 insertions(+), 108 deletions(-)
>>
>> --
>> 1.9.3
>>
>> _______________________________________________
>> Selinux mailing list
>> Selinux@xxxxxxxxxxxxx
>> To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
>> To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
> _______________________________________________
> Selinux mailing list
> Selinux@xxxxxxxxxxxxx
> To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
> To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
>
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
