[redhat-lspp] Just noticed a problem with semanage/semodule and SELinux policy
Stephen Smalley
sds at tycho.nsa.gov
Thu Jan 25 12:41:17 UTC 2007
On Thu, 2007-01-25 at 06:57 -0500, Stephen Smalley wrote:
> On Wed, 2007-01-24 at 16:37 -0500, Daniel J Walsh wrote:
> > Currently you can run semanage/semodule at SystemLow and they end up
> > creating files in /etc/selinux/mls/seusers and
> > /etc/selinux/mls/policy/policy.21 at SystemLow.
> >
> > The system defaults say they should be at SystemHigh. I am not sure why
> > they are specified at SystemHigh, but we either need to change the
> > specification or lots of other files need to be moved to system high and
> > perhaps only allow semanage to run at SystemHigh.
> >
> > Running semanage at SystemHigh, ends up creating a bunch of files at
> > SystemHigh that should be SystemLow, also. So no easy fix.
>
> Running semanage/semodule at SystemLow and using range_transition to
> transition the files to SystemHigh may work. But are they truly
> SystemHigh in their data?
And what inputs to them are considered SystemHigh, as those files would
need to be kept at SystemHigh as well?
range_transition may be insufficiently granular if you want to keep some
of the policy files at SystemLow and others at SystemHigh; we would need
libsemanage to call matchpathcon() and setfscreatecon() on each file it
creates.
--
Stephen Smalley
National Security Agency
More information about the redhat-lspp
mailing list