(This is running off current development refrence policy.) Ironically, selinux is trying to block me from loading policy modules, eg: Nov 15 06:55:41 testbed kernel: [169387.945060] audit: type=1400 audit(1416056141.747:4585): avc: denied { read } for pid=3558 comm="load_policy" path="/var/lib/selinux/strict/active/modules/400/selinuxutil/hll" dev="dm-4" ino=817545 ipaddr=173.173.113.156 scontext=root:sysadm_r:load_policy_t tcontext=root:object_r:semanage_var_lib_t tclass=file permissive=1 Nov 15 06:55:41 testbed kernel: [169387.993469] audit: type=1400 audit(1416056141.795:4587): avc: denied { read } for pid=3560 comm="setfiles" path="/var/lib/selinux/strict/active/modules/400/selinuxutil/hll" dev="dm-4" ino=817545 ipaddr=173.173.113.156 scontext=root:sysadm_r:setfiles_t tcontext=root:object_r:semanage_var_lib_t tclass=file permissive=1 The sysadm_t --> setfiles_t/load_policy_t transition is clearly working fine, however the transition from either into semanage_var_lib_t isn't working so well. In fact there is no transition out: testbed hardened-refpolicy # sesearch -s setfiles_t -T testbed hardened-refpolicy # sesearch -s load_policy_t -T testbed hardened-refpolicy # Fortunately this is pretty easy to fix because there are two handy macros for file/directory management. Neither permision group for setfiles_t or load_policy_t appears to be a bad idea here, and is essential for policy loading to be possible in an enforcing environment. Reproducible: Always
Created attachment 389382 [details, diff] make the avc whines go away!
I'm going to wait on this until the 2.4 cil interpretation bug has been fixed; I didn't have any issues with using the 2.4_rc* series to load policy modules (in enforcing, strict mode) so either there was a fallback routine, or it wasn't needed, or you're executing commands that I haven't tested.
Fair enough. Replication for me is straight forward: 1) newrole -r sysadm_r 2) Build policy module 3) semodule -i module.pp
It looks like the denials are harmless (in enforcing mode, stuff still seems to work), but I've asked the mailinglist to confirm. Also, I would have expected that this needs to be semanage_store_t, perhaps a transition + fc definition is missing.
I'm not forgetting this, but waiting for upstream feedback. See http://marc.info/?l=selinux&m=141683660207783&w=2
userspace 2.4-rc7 is in ~arch, the denials seem to be fixed.
2.4 userland is stable