[DSE-User] semodule missing permissions to /etc/selinux/default/modules/active

[Éric Deschamps]

Hello,

Trying to load a new policy with semodule, i get this error:
# semodule -i /usr/share/selinux/shorewall-plus.pp
libsemanage.semanage_commit_sandbox: Error while renaming
/etc/selinux/default/modules/active to
/etc/selinux/default/modules/previous. (Permission denied).
semodule:  Failed!

Here is an excerpt of audit2why explanation:

# grep semodule /var/log/audit/audit.log | audit2why

type=AVC msg=audit(1380724705.027:9561): avc:  denied  { getattr } for
pid=6007 comm="semodule" name="/" dev="sysfs" ino=1
scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem

        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to
allow this access.

type=AVC msg=audit(1380724710.867:9562): avc:  denied  { rename } for
pid=6007 comm="semodule" name="active" dev="sda1" ino=134215
scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
tcontext=staff_u:object_r:selinux_config_t:s0 tclass=dir

        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to
allow this access.

Does this problem look normal to you? Is it a bug in basic policies or
did i miss something?

Regards,

Éric