setsebool

setsebool

[Daniel J Walsh]

How come when I set one boolean via setsebool I get an AVC granted 
message for all the booleans? 

Is this a problem in the Kernel or libraries?  Or just the way it is?

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: setsebool

[Steve Grubb]

On Thursday 13 July 2006 06:54, Daniel J Walsh wrote:
> Is this a problem in the Kernel or libraries?  Or just the way it is?

I think the granted statement comes from policy. I was thinking that audit of 
granting when changing booleans would be dropped from policy when the 2.6.17 
kernel was out.

-Steve


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: setsebool

[Karl MacMillan]

On Thu, 2006-07-13 at 07:34 -0400, Steve Grubb wrote:
> On Thursday 13 July 2006 06:54, Daniel J Walsh wrote:
> > Is this a problem in the Kernel or libraries?  Or just the way it is?
> 
> I think the granted statement comes from policy. I was thinking that audit of 
> granting when changing booleans would be dropped from policy when the 2.6.17 
> kernel was out.
> 

The kernel also generates a message with all of the boolean states in
addition to the auditallow. When wrote that my thought was that there
would not be that many booleans and printing them all would make it
easier to see the state of the system in the logs. Obviously I was wrong
about the number of booleans.

The message is printed from security_set_bools in services.c. Should
this just go in favor of an audit message or be changed to just print
the state of the changed booleans?

Karl

> -Steve
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
> 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: setsebool

[Stephen Smalley]

On Thu, 2006-07-13 at 08:06 -0400, Karl MacMillan wrote:
> On Thu, 2006-07-13 at 07:34 -0400, Steve Grubb wrote:
> > On Thursday 13 July 2006 06:54, Daniel J Walsh wrote:
> > > Is this a problem in the Kernel or libraries?  Or just the way it is?
> > 
> > I think the granted statement comes from policy. I was thinking that audit of 
> > granting when changing booleans would be dropped from policy when the 2.6.17 
> > kernel was out.
> > 
> 
> The kernel also generates a message with all of the boolean states in
> addition to the auditallow. When wrote that my thought was that there
> would not be that many booleans and printing them all would make it
> easier to see the state of the system in the logs. Obviously I was wrong
> about the number of booleans.
> 
> The message is printed from security_set_bools in services.c. Should
> this just go in favor of an audit message or be changed to just print
> the state of the changed booleans?

Steve Grubb already changed that printk to an audit_log call that only
displays changed values.  In 2.6.17.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: setsebool

[Karl MacMillan]

On Thu, 2006-07-13 at 08:26 -0400, Stephen Smalley wrote:
> On Thu, 2006-07-13 at 08:06 -0400, Karl MacMillan wrote:
> > On Thu, 2006-07-13 at 07:34 -0400, Steve Grubb wrote:
> > > On Thursday 13 July 2006 06:54, Daniel J Walsh wrote:
> > > > Is this a problem in the Kernel or libraries?  Or just the way it is?
> > > 
> > > I think the granted statement comes from policy. I was thinking that audit of 
> > > granting when changing booleans would be dropped from policy when the 2.6.17 
> > > kernel was out.
> > > 
> > 
> > The kernel also generates a message with all of the boolean states in
> > addition to the auditallow. When wrote that my thought was that there
> > would not be that many booleans and printing them all would make it
> > easier to see the state of the system in the logs. Obviously I was wrong
> > about the number of booleans.
> > 
> > The message is printed from security_set_bools in services.c. Should
> > this just go in favor of an audit message or be changed to just print
> > the state of the changed booleans?
> 
> Steve Grubb already changed that printk to an audit_log call that only
> displays changed values.  In 2.6.17.
> 

Oops - that will teach me to look at old kernel source. Looking through
the archives I didn't see that patch posted to this list (but maybe I
missed it). Where was this discussed?

Karl

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: setsebool

[Stephen Smalley]

On Thu, 2006-07-13 at 08:41 -0400, Karl MacMillan wrote:
> > Steve Grubb already changed that printk to an audit_log call that only
> > displays changed values.  In 2.6.17.
> > 
> 
> Oops - that will teach me to look at old kernel source. Looking through
> the archives I didn't see that patch posted to this list (but maybe I
> missed it). Where was this discussed?

linux-audit and redhat-lspp lists.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: setsebool

[Stephen Smalley]

On Thu, 2006-07-13 at 06:54 -0400, Daniel J Walsh wrote:
> How come when I set one boolean via setsebool I get an AVC granted 
> message for all the booleans? 
> 
> Is this a problem in the Kernel or libraries?  Or just the way it is?

libsemanage sets them all upon commit.
We could likely drop the auditallow statement on setbool as it isn't
particularly useful and we now have the explicit audit messages for
MAC_CONFIG_CHANGE.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: setsebool

[Steve Grubb]

On Thursday 13 July 2006 08:07, Stephen Smalley wrote:
> We could likely drop the auditallow statement on setbool as it isn't
> particularly useful and we now have the explicit audit messages for
> MAC_CONFIG_CHANGE.

That would be great.

Thanks,
-Steve

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: setsebool

[Christopher J. PeBenito]

On Thu, 2006-07-13 at 08:07 -0400, Stephen Smalley wrote:
> On Thu, 2006-07-13 at 06:54 -0400, Daniel J Walsh wrote:
> > How come when I set one boolean via setsebool I get an AVC granted 
> > message for all the booleans? 
> > 
> > Is this a problem in the Kernel or libraries?  Or just the way it is?
> 
> libsemanage sets them all upon commit.
> We could likely drop the auditallow statement on setbool as it isn't
> particularly useful and we now have the explicit audit messages for
> MAC_CONFIG_CHANGE.

I'll remove the auditallow except for distro_rhel4 since those systems
don't have libsemanage and auditing.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.