How come security_get_boolean_pending returns true when a boolean is on.

How come security_get_boolean_pending returns true when a boolean is on.

[Daniel J Walsh]

getsebool -a
mozilla_writehome --> active: 1 pending: 1
named_write_master_zones --> active: 0 pending: 0
nfs_export_all_ro --> active: 0 pending: 0
nfs_export_all_rw --> active: 0 pending: 0
read_default_t --> active: 1 pending: 1
run_ssh_inetd --> active: 0 pending: 0
secure_mode --> active: 0 pending: 0
spamassasin_can_network --> active: 0 pending: 0
ssh_sysadm_login --> active: 1 pending: 1
staff_read_sysadm_file --> active: 1 pending: 1

Shouldn't this be
staff_read_sysadm_file --> active: 1 pending: 0

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: How come security_get_boolean_pending returns true when a boolean is on.

[Steve G]

>Shouldn't this be
>staff_read_sysadm_file --> active: 1 pending: 0

That depends....SE Linux interface remembers booleans that get set but haven't
been committed. There isn't an explicit "rollback" command to match the commit. I
tried to fix togglesebool and setsebool to do a rollback by walking the table and
setting all pending values to the active value.

We you using current tools and how did you get it like that?

-Steve Grubb


		
__________________________________ 
Do you Yahoo!? 
Check out the new Yahoo! Front Page. 
www.yahoo.com 
 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: How come security_get_boolean_pending returns true when a boolean is on.

[Christopher J. PeBenito]

On Thu, 2004-11-11 at 09:14 -0500, Daniel J Walsh wrote:
> getsebool -a
> mozilla_writehome --> active: 1 pending: 1
> named_write_master_zones --> active: 0 pending: 0
> nfs_export_all_ro --> active: 0 pending: 0
> nfs_export_all_rw --> active: 0 pending: 0
> read_default_t --> active: 1 pending: 1
> run_ssh_inetd --> active: 0 pending: 0
> secure_mode --> active: 0 pending: 0
> spamassasin_can_network --> active: 0 pending: 0
> ssh_sysadm_login --> active: 1 pending: 1
> staff_read_sysadm_file --> active: 1 pending: 1

The active and pending should be the same unless someone is intending to
change it, but hasn't committed the changes.  So in this example:

> Shouldn't this be
> staff_read_sysadm_file --> active: 1 pending: 0

this would mean that someone has done a
security_set_boolean("staff_read_sysadm_file",0), but hasn't done a
security_commit_booleans() yet.  After you commit it, the bool will be
active 0, pending 0.  Then subsequent commits will not change the value
since the pending is the same as the active.  If active and pending were
always opposite, you'd be toggling all of the booleans on every
security_commit_booleans().

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: How come security_get_boolean_pending returns true when a boolean is on.

[Daniel J Walsh]

Christopher J. PeBenito wrote:

>On Thu, 2004-11-11 at 09:14 -0500, Daniel J Walsh wrote:
>  
>
>>getsebool -a
>>mozilla_writehome --> active: 1 pending: 1
>>named_write_master_zones --> active: 0 pending: 0
>>nfs_export_all_ro --> active: 0 pending: 0
>>nfs_export_all_rw --> active: 0 pending: 0
>>read_default_t --> active: 1 pending: 1
>>run_ssh_inetd --> active: 0 pending: 0
>>secure_mode --> active: 0 pending: 0
>>spamassasin_can_network --> active: 0 pending: 0
>>ssh_sysadm_login --> active: 1 pending: 1
>>staff_read_sysadm_file --> active: 1 pending: 1
>>    
>>
>
>The active and pending should be the same unless someone is intending to
>change it, but hasn't committed the changes.  So in this example:
>
>  
>
>>Shouldn't this be
>>staff_read_sysadm_file --> active: 1 pending: 0
>>    
>>
>
>this would mean that someone has done a
>security_set_boolean("staff_read_sysadm_file",0), but hasn't done a
>security_commit_booleans() yet.  After you commit it, the bool will be
>active 0, pending 0.  Then subsequent commits will not change the value
>since the pending is the same as the active.  If active and pending were
>always opposite, you'd be toggling all of the booleans on every
>security_commit_booleans().
>
>  
>
That is what I figured out after I sent the mail.  So I have changed 
getsebool to report.

allow_xserver_home_fonts --> inactive
allow_ypbind --> inactive
cron_can_relabel --> inactive
disable_games --> inactive pending --> avtive
(active and pending differ)
ftp_home_dir --> active
ftpd_is_daemon --> active
httpd_enable_cgi --> active
httpd_enable_homedirs --> active
httpd_ssi_exec --> active  pending --> inactive


Which I think is much more understandable.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.