Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 417821 - Loading policy fails with "libsemanage.semanage_make_sandbox: Could not copy files to sandbox /etc/selinux/strict/modules/tmp. (Permission denied)"
Summary: Loading policy fails with "libsemanage.semanage_make_sandbox: Could not copy ...
Status: VERIFIED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Hardened (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Sven Vermeulen (RETIRED)
URL:
Whiteboard: sec-policy r11
Keywords:
Depends on:
Blocks:
 
Reported: 2012-05-27 17:49 UTC by Sven Vermeulen (RETIRED)
Modified: 2012-07-30 16:35 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sven Vermeulen (RETIRED) gentoo-dev 2012-05-27 17:49:59 UTC 
When a new SELinux policy is build (or the policy is reloaded), the following failure occurs:

"""
libsemanage.semanage_make_sandbox: Could not copy files to sandbox /etc/selinux/strict/modules/tmp. (Permission denied)
"""

This is due to a change in policy for semanage between r9 and r10. In r10, the "modules" directory is assumed to be created using a named file transition into "semanage_store_t". On existing systems however, the directory is already available (and with selinux_config_t).

The following simple fix resolves this issue, and will also be in r11.

"""
semanage fcontext -a -t semanage_store_t /etc/selinux/strict/modules
restorecon -R /etc/selinux/strict/modules
"""

Reproducible: Always
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2012-05-28 09:15:17 UTC 
In hardened-dev overlay, rev 11
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2012-06-27 21:57:05 UTC 
In main tree, ~arched
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2012-07-30 16:35:28 UTC 
Stabilized