From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-904638-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 55B66138330
	for <garchives@archives.gentoo.org>; Mon,  3 Oct 2016 06:26:39 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id AEE12E0AA8;
	Mon,  3 Oct 2016 06:26:36 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 9234AE0AA8
	for <gentoo-commits@lists.gentoo.org>; Mon,  3 Oct 2016 06:26:36 +0000 (UTC)
Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 2DF84340E10
	for <gentoo-commits@lists.gentoo.org>; Mon,  3 Oct 2016 06:26:35 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id AA54E2497
	for <gentoo-commits@lists.gentoo.org>; Mon,  3 Oct 2016 06:26:33 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1475474661.c7941d5608f8aadd8be1cdda6abff4084b2e094e.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/system/selinuxutil.if policy/modules/system/selinuxutil.te
X-VCS-Directories: policy/modules/system/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: c7941d5608f8aadd8be1cdda6abff4084b2e094e
X-VCS-Branch: next
Date: Mon,  3 Oct 2016 06:26:33 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 4aff665b-5126-4d0c-959a-c0d7d9a576e2
X-Archives-Hash: d71731ccf57379112cdba1066a41538e

commit:     c7941d5608f8aadd8be1cdda6abff4084b2e094e
Author:     Jason Zaman via refpolicy <refpolicy <AT> oss <DOT> tresys <DOT> com>
AuthorDate: Sun Sep 18 06:38:31 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct  3 06:04:21 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c7941d56

selinuxutil: allow setfiles to read semanage store

commit a7334eb0de98af11ec38b6263536fa01bc2a606c
libsemanage: validate and compile file contexts before installing

validates the fcontexts when they are still in /var/lib/selinux. Without
setfiles_t having access to read the files, validation fails and the
policy cannot be updated.

 policy/modules/system/selinuxutil.if | 23 +++++++++++++++++++++++
 policy/modules/system/selinuxutil.te |  1 +
 2 files changed, 24 insertions(+)

diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index b4c70a3..a8221f0 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -1107,6 +1107,29 @@ interface(`seutil_run_semanage',`
 
 ########################################
 ## <summary>
+##	Read the semanage module store.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`seutil_read_module_store',`
+	gen_require(`
+		type selinux_config_t, semanage_store_t;
+	')
+
+	files_search_etc($1)
+	files_search_var($1)
+	list_dirs_pattern($1, selinux_config_t, semanage_store_t)
+	list_dirs_pattern($1, semanage_store_t, semanage_store_t)
+	read_files_pattern($1, semanage_store_t, semanage_store_t)
+	read_lnk_files_pattern($1, semanage_store_t, semanage_store_t)
+')
+
+########################################
+## <summary>
 ##	Full management of the semanage
 ##	module store.
 ## </summary>

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 4a100cd..98d7840 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -597,6 +597,7 @@ logging_send_syslog_msg(setfiles_t)
 miscfiles_read_localization(setfiles_t)
 
 seutil_libselinux_linked(setfiles_t)
+seutil_read_module_store(setfiles_t)
 
 userdom_use_all_users_fds(setfiles_t)
 # for config files in a home directory


From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-904630-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 18DDD138330
	for <garchives@archives.gentoo.org>; Mon,  3 Oct 2016 06:21:15 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 99C7621C095;
	Mon,  3 Oct 2016 06:21:01 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 80EFF21C095
	for <gentoo-commits@lists.gentoo.org>; Mon,  3 Oct 2016 06:20:56 +0000 (UTC)
Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 0476A340E00
	for <gentoo-commits@lists.gentoo.org>; Mon,  3 Oct 2016 06:20:55 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id ED4C124AA
	for <gentoo-commits@lists.gentoo.org>; Mon,  3 Oct 2016 06:20:51 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1475474661.c7941d5608f8aadd8be1cdda6abff4084b2e094e.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/system/selinuxutil.if policy/modules/system/selinuxutil.te
X-VCS-Directories: policy/modules/system/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: c7941d5608f8aadd8be1cdda6abff4084b2e094e
X-VCS-Branch: master
Date: Mon,  3 Oct 2016 06:20:51 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: f0cc9798-02cf-4471-861a-1b3cb1a4b8be
X-Archives-Hash: 06c4d046169cd0bba04e52af7ce4ed13
Message-ID: <20161003062051.yVfLLl3HWfgqCOl1CaTR375SmOa7V9E66iAX4MFplQs@z>

commit:     c7941d5608f8aadd8be1cdda6abff4084b2e094e
Author:     Jason Zaman via refpolicy <refpolicy <AT> oss <DOT> tresys <DOT> com>
AuthorDate: Sun Sep 18 06:38:31 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct  3 06:04:21 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c7941d56

selinuxutil: allow setfiles to read semanage store

commit a7334eb0de98af11ec38b6263536fa01bc2a606c
libsemanage: validate and compile file contexts before installing

validates the fcontexts when they are still in /var/lib/selinux. Without
setfiles_t having access to read the files, validation fails and the
policy cannot be updated.

 policy/modules/system/selinuxutil.if | 23 +++++++++++++++++++++++
 policy/modules/system/selinuxutil.te |  1 +
 2 files changed, 24 insertions(+)

diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index b4c70a3..a8221f0 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -1107,6 +1107,29 @@ interface(`seutil_run_semanage',`
 
 ########################################
 ## <summary>
+##	Read the semanage module store.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`seutil_read_module_store',`
+	gen_require(`
+		type selinux_config_t, semanage_store_t;
+	')
+
+	files_search_etc($1)
+	files_search_var($1)
+	list_dirs_pattern($1, selinux_config_t, semanage_store_t)
+	list_dirs_pattern($1, semanage_store_t, semanage_store_t)
+	read_files_pattern($1, semanage_store_t, semanage_store_t)
+	read_lnk_files_pattern($1, semanage_store_t, semanage_store_t)
+')
+
+########################################
+## <summary>
 ##	Full management of the semanage
 ##	module store.
 ## </summary>

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 4a100cd..98d7840 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -597,6 +597,7 @@ logging_send_syslog_msg(setfiles_t)
 miscfiles_read_localization(setfiles_t)
 
 seutil_libselinux_linked(setfiles_t)
+seutil_read_module_store(setfiles_t)
 
 userdom_use_all_users_fds(setfiles_t)
 # for config files in a home directory