853154 – sys-apps/policycoreutils-3.3: selocal -L doesn't work in enforcing mode

Bug 853154 - sys-apps/policycoreutils-3.3: selocal -L doesn't work in enforcing mode

Summary: sys-apps/policycoreutils-3.3: selocal -L doesn't work in enforcing mode

Status:	UNCONFIRMED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	SELinux (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	SE Linux Bugs

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2022-06-20 09:51 UTC by herypt
Modified:	2022-07-19 08:35 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description herypt 2022-06-20 09:51:27 UTC

selocal is unable to load the policy in enforcing mode because semodule doesn't have permission to read /root/.selocal/selocal.pp.

Reproducible: Always

Steps to Reproduce:
1. setenforce 1
2. selocal -bL
Actual Results:  
## Loading selocal.pp (in ~/.selocal):
# semodule -i ~/.selocal/selocal.pp
libsemanage.map_file: Unable to open /root/.selocal/selocal.pp
 (Permission denied).
libsemanage.semanage_direct_install_file: Unable to read file /root/.selocal/selocal.pp
 (Permission denied).
semodule:  Failed on /root/.selocal/selocal.pp!


type=AVC msg=audit(1655717414.885:20): avc:  denied  { search } for  pid=7779 comm="semodule" name="root" dev="sda2" ino=74160 scontext=unconfined_u:unconfined_r:semanage_t tcontext=system_u:object_r:default_t tclass=dir permissive=1
type=AVC msg=audit(1655717414.885:20): avc:  denied  { read } for  pid=7779 comm="semodule" name="selocal.pp" dev="sda2" ino=1995777 scontext=unconfined_u:unconfined_r:semanage_t tcontext=system_u:object_r:default_t tclass=file permissive=1
type=AVC msg=audit(1655717414.885:20): avc:  denied  { open } for  pid=7779 comm="semodule" path="/root/.selocal/selocal.pp" dev="sda2" ino=1995777 scontext=unconfined_u:unconfined_r:semanage_t tcontext=system_u:object_r:default_t tclass=file permissive=1
type=AVC msg=audit(1655717414.886:21): avc:  denied  { getattr } for  pid=7779 comm="semodule" path="/root/.selocal/selocal.pp" dev="sda2" ino=1995777 scontext=unconfined_u:unconfined_r:semanage_t tcontext=system_u:object_r:default_t tclass=file permissive=1
type=AVC msg=audit(1655717414.886:22): avc:  denied  { map } for  pid=7779 comm="semodule" path="/root/.selocal/selocal.pp" dev="sda2" ino=1995777 scontext=unconfined_u:unconfined_r:semanage_t tcontext=system_u:object_r:default_t tclass=file permissive=1

Comment 1 Kenton Groombridge gentoo-dev

2022-07-18 23:30:17 UTC

Your system looks to be mislabeled. /root is supposed to be labeled 'user_home_dir_t' and its contents 'user_home_t'. Try issuing 'restorecon -RFv /root' and see if that resolves the issue.

Comment 2 herypt 2022-07-19 08:35:41 UTC

Running that command with SELINUXTYPE=targeted (which I'm using) keeps /root labeled as default_t, but if I change it to strict, it does label it correctly.