Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 530866

Summary: Missing contexts for /var/lib/selinux
Product: Gentoo Linux Reporter: Sven Vermeulen (RETIRED) <swift>
Component: SELinuxAssignee: SE Linux Bugs <selinux>
Status: RESOLVED FIXED    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: sec-policy r1
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 529326    

Description Sven Vermeulen (RETIRED) gentoo-dev 2014-11-27 14:20:23 UTC 
Currently, /var/lib/selinux (and all files and directories in it) are labelled as semanage_var_lib_t. However, as active policy stores will be hosted in it, files will need to be labelled as selinux_config_t, semanage_store_t, etc.

See also /etc/selinux definitions:

/etc/selinux(/.*)?                                 all files          system_u:object_r:selinux_config_t:s0 
/etc/selinux/([^/]*/)?contexts(/.*)?               all files          system_u:object_r:default_context_t:s0 
/etc/selinux/([^/]*/)?contexts/files(/.*)?         all files          system_u:object_r:file_context_t:s0 
/etc/selinux/([^/]*/)?modules(/.*)?                all files          system_u:object_r:semanage_store_t:s0 
/etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK regular file       system_u:object_r:semanage_read_lock_t:s0 
/etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK regular file       system_u:object_r:semanage_trans_lock_t:s0 
/etc/selinux/([^/]*/)?policy(/.*)?                 all files          system_u:object_r:policy_config_t:s0 
/etc/selinux/([^/]*/)?setrans\.conf                regular file       system_u:object_r:selinux_config_t:s0 
/etc/selinux/([^/]*/)?seusers                      regular file       system_u:object_r:selinux_config_t:s0 
/etc/selinux/([^/]*/)?users(/.*)?                  regular file       system_u:object_r:selinux_config_t:s0

The solution could be as simple as introducing an equivalence although the "active/" part in /var/lib/selinux/mcs/active makes be believe that it is better to set the contexts correct immediately.

Reproducible: Always
Comment 1 Jason Zaman gentoo-dev 2014-12-04 14:25:23 UTC 
commit 4270746b108fd90b377127c6f20998af640a4869 in master

Update policy for selinux userspace moving the policy store to /var/lib/selinux
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2014-12-21 14:12:33 UTC 
r1 is now stable