commit: aea1a2c1e811cffff5f00eaff151aa39d275dc91
Author: Sven Vermeulen <swift <AT> gentoo <DOT> org>
AuthorDate: Sun Jan 31 16:19:24 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jan 31 16:19:24 2016 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=aea1a2c1
Allow sesearch to find default policy
Utilities that want to find the default policy in /etc/selinux/*/policy
will need read privileges on policy_config_t as they list the contents
of the policy/ folder.
Example is the sesearch command.
policy/modules/system/selinuxutil.if | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/policy/modules/system/selinuxutil.if
b/policy/modules/system/selinuxutil.if
index 55d2429..b4c70a3 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -941,6 +941,12 @@ interface(`seutil_read_bin_policy',`
files_search_etc($1)
allow $1 selinux_config_t:dir search_dir_perms;
read_files_pattern($1, policy_config_t, policy_config_t)
+
+ ifdef(`distro_gentoo',`
+ # Allow sesearch to read /etc/selinux/.../policy
+ # Otherwise it returns "No default policy found"
+ allow $1 policy_config_t:dir list_dir_perms;
+ ')
')
########################################
