Bug 417821

Summary:	Loading policy fails with "libsemanage.semanage_make_sandbox: Could not copy files to sandbox /etc/selinux/strict/modules/tmp. (Permission denied)"
Product:	Gentoo Linux	Reporter:	Sven Vermeulen (RETIRED) <swift>
Component:	Hardened	Assignee:	Sven Vermeulen (RETIRED) <swift>
Status:	VERIFIED FIXED
Severity:	normal	CC:	selinux
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	sec-policy r11
Package list:		Runtime testing required:	---

Description Sven Vermeulen (RETIRED) gentoo-dev

2012-05-27 17:49:59 UTC

When a new SELinux policy is build (or the policy is reloaded), the following failure occurs:

"""
libsemanage.semanage_make_sandbox: Could not copy files to sandbox /etc/selinux/strict/modules/tmp. (Permission denied)
"""

This is due to a change in policy for semanage between r9 and r10. In r10, the "modules" directory is assumed to be created using a named file transition into "semanage_store_t". On existing systems however, the directory is already available (and with selinux_config_t).

The following simple fix resolves this issue, and will also be in r11.

"""
semanage fcontext -a -t semanage_store_t /etc/selinux/strict/modules
restorecon -R /etc/selinux/strict/modules
"""

Reproducible: Always

Comment 1 Sven Vermeulen (RETIRED) gentoo-dev

2012-05-28 09:15:17 UTC

In hardened-dev overlay, rev 11

Comment 2 Sven Vermeulen (RETIRED) gentoo-dev

2012-06-27 21:57:05 UTC

In main tree, ~arched

Comment 3 Sven Vermeulen (RETIRED) gentoo-dev

2012-07-30 16:35:28 UTC

Stabilized