* Question about setsebool.c
@ 2006-11-20 9:02 Yuichi Nakamura
2006-11-20 16:01 ` Karl MacMillan
0 siblings, 1 reply; 6+ messages in thread
From: Yuichi Nakamura @ 2006-11-20 9:02 UTC (permalink / raw)
To: selinux; +Cc: ynakam
Hi, I looked at the latest policycoreutils code.
(policycoreutils-1.33.1-9.fc7.src.rpm)
And found strange code, in setsebool.c.
94 /* Apply (permanent) boolean changes to policy via libsemanage */
95 static int semanage_set_boolean_list(size_t boolcnt,
96 SELboolean * boollist, int perm)
97 {
<snip>
117 } else if (managed == 0) {
118 if (selinux_set_boolean_list(boolcnt, boollist, 1) < 0)
119 goto err;
120 goto out;
121 }
Why 3rd arg for selinux_set_boolean_list is "1"?
Should it be "perm"?
Yuichi Nakamura
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Question about setsebool.c
2006-11-20 9:02 Question about setsebool.c Yuichi Nakamura
@ 2006-11-20 16:01 ` Karl MacMillan
2006-11-20 18:39 ` Joshua Brindle
0 siblings, 1 reply; 6+ messages in thread
From: Karl MacMillan @ 2006-11-20 16:01 UTC (permalink / raw)
To: Yuichi Nakamura; +Cc: selinux
Yuichi Nakamura wrote:
> Hi, I looked at the latest policycoreutils code.
> (policycoreutils-1.33.1-9.fc7.src.rpm)
>
> And found strange code, in setsebool.c.
>
> 94 /* Apply (permanent) boolean changes to policy via libsemanage */
> 95 static int semanage_set_boolean_list(size_t boolcnt,
> 96 SELboolean * boollist, int perm)
> 97 {
> <snip>
> 117 } else if (managed == 0) {
> 118 if (selinux_set_boolean_list(boolcnt, boollist, 1) < 0)
> 119 goto err;
> 120 goto out;
> 121 }
>
> Why 3rd arg for selinux_set_boolean_list is "1"?
> Should it be "perm"?
>
Looks that way to me. Additionally, is it even possible to make
non-permanent change to a boolean via semanage? If not, then this code
path should check for that. Josh?
Karl
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Question about setsebool.c
2006-11-20 16:01 ` Karl MacMillan
@ 2006-11-20 18:39 ` Joshua Brindle
2006-11-20 19:59 ` Stephen Smalley
2006-11-20 20:04 ` Karl MacMillan
0 siblings, 2 replies; 6+ messages in thread
From: Joshua Brindle @ 2006-11-20 18:39 UTC (permalink / raw)
To: Karl MacMillan; +Cc: Yuichi Nakamura, selinux
Karl MacMillan wrote:
> Yuichi Nakamura wrote:
>> Hi, I looked at the latest policycoreutils code.
>> (policycoreutils-1.33.1-9.fc7.src.rpm)
>>
>> And found strange code, in setsebool.c.
>>
>> 94 /* Apply (permanent) boolean changes to policy via
>> libsemanage */
>> 95 static int semanage_set_boolean_list(size_t boolcnt,
>> 96 SELboolean * boollist,
>> int perm)
>> 97 {
>> <snip>
>> 117 } else if (managed == 0) {
>> 118 if (selinux_set_boolean_list(boolcnt,
>> boollist, 1) < 0)
>> 119 goto err;
>> 120 goto out;
>> 121 }
>>
>> Why 3rd arg for selinux_set_boolean_list is "1"?
>> Should it be "perm"?
>>
>
> Looks that way to me. Additionally, is it even possible to make
> non-permanent change to a boolean via semanage? If not, then this code
> path should check for that. Josh?
>
libsemanage is only responsible for the persistent changes, sesetbool
sets the non-persistent directly, in fact demonstrated by the code
snippet above. This does look like a bug and if someone uses setsebool
to set a non-persistent boolean on an unmanaged system it appears that
it will indeed make it permanent.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Question about setsebool.c
2006-11-20 18:39 ` Joshua Brindle
@ 2006-11-20 19:59 ` Stephen Smalley
2006-11-20 20:04 ` Karl MacMillan
1 sibling, 0 replies; 6+ messages in thread
From: Stephen Smalley @ 2006-11-20 19:59 UTC (permalink / raw)
To: Joshua Brindle; +Cc: Karl MacMillan, Yuichi Nakamura, selinux
On Mon, 2006-11-20 at 13:39 -0500, Joshua Brindle wrote:
> Karl MacMillan wrote:
> > Yuichi Nakamura wrote:
> >> Hi, I looked at the latest policycoreutils code.
> >> (policycoreutils-1.33.1-9.fc7.src.rpm)
> >>
> >> And found strange code, in setsebool.c.
> >>
> >> 94 /* Apply (permanent) boolean changes to policy via
> >> libsemanage */
> >> 95 static int semanage_set_boolean_list(size_t boolcnt,
> >> 96 SELboolean * boollist,
> >> int perm)
> >> 97 {
> >> <snip>
> >> 117 } else if (managed == 0) {
> >> 118 if (selinux_set_boolean_list(boolcnt,
> >> boollist, 1) < 0)
> >> 119 goto err;
> >> 120 goto out;
> >> 121 }
> >>
> >> Why 3rd arg for selinux_set_boolean_list is "1"?
> >> Should it be "perm"?
> >>
> >
> > Looks that way to me. Additionally, is it even possible to make
> > non-permanent change to a boolean via semanage? If not, then this code
> > path should check for that. Josh?
> >
> libsemanage is only responsible for the persistent changes, sesetbool
> sets the non-persistent directly, in fact demonstrated by the code
> snippet above. This does look like a bug and if someone uses setsebool
> to set a non-persistent boolean on an unmanaged system it appears that
> it will indeed make it permanent.
Point of clarification - if policy is managed, libsemanage does handle
non-persistent booleans as well (the _active interfaces). But I agree
that the above appears to be a bug in the unmanaged case.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Question about setsebool.c
2006-11-20 18:39 ` Joshua Brindle
2006-11-20 19:59 ` Stephen Smalley
@ 2006-11-20 20:04 ` Karl MacMillan
2006-11-20 20:10 ` Stephen Smalley
1 sibling, 1 reply; 6+ messages in thread
From: Karl MacMillan @ 2006-11-20 20:04 UTC (permalink / raw)
To: Joshua Brindle; +Cc: Yuichi Nakamura, selinux
Joshua Brindle wrote:
> Karl MacMillan wrote:
>> Yuichi Nakamura wrote:
>>> Hi, I looked at the latest policycoreutils code.
>>> (policycoreutils-1.33.1-9.fc7.src.rpm)
>>>
>>> And found strange code, in setsebool.c.
>>>
>>> 94 /* Apply (permanent) boolean changes to policy via
>>> libsemanage */
>>> 95 static int semanage_set_boolean_list(size_t boolcnt,
>>> 96 SELboolean * boollist,
>>> int perm)
>>> 97 {
>>> <snip>
>>> 117 } else if (managed == 0) {
>>> 118 if (selinux_set_boolean_list(boolcnt,
>>> boollist, 1) < 0)
>>> 119 goto err;
>>> 120 goto out;
>>> 121 }
>>>
>>> Why 3rd arg for selinux_set_boolean_list is "1"?
>>> Should it be "perm"?
>>>
>>
>> Looks that way to me. Additionally, is it even possible to make
>> non-permanent change to a boolean via semanage? If not, then this code
>> path should check for that. Josh?
>>
> libsemanage is only responsible for the persistent changes,
That is not how the current setsebool.c code works - see:
if (perm
&& semanage_bool_modify_local(handle, bool_key, boolean) < 0)
goto err;
Testing confirms that this allows setting non-persistent booleans via
semanage using setsebool.
sesetbool
> sets the non-persistent directly, in fact demonstrated by the code
> snippet above. This does look like a bug and if someone uses setsebool
> to set a non-persistent boolean on an unmanaged system it appears that
> it will indeed make it permanent.
>
What about this:
diff -r 130ab1cdcc3a policycoreutils/setsebool/setsebool.c
--- a/policycoreutils/setsebool/setsebool.c Thu Nov 16 17:11:37 2006 -0500
+++ b/policycoreutils/setsebool/setsebool.c Mon Nov 20 15:01:14 2006 -0500
@@ -115,7 +115,7 @@ static int semanage_set_boolean_list(siz
goto err;
} else if (managed == 0) {
- if (selinux_set_boolean_list(boolcnt, boollist, 1) < 0)
+ if (selinux_set_boolean_list(boolcnt, boollist, perm) < 0)
goto err;
goto out;
}
Signed-off-by Karl MacMillan <kmacmillan@mentalrootkit.com>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Question about setsebool.c
2006-11-20 20:04 ` Karl MacMillan
@ 2006-11-20 20:10 ` Stephen Smalley
0 siblings, 0 replies; 6+ messages in thread
From: Stephen Smalley @ 2006-11-20 20:10 UTC (permalink / raw)
To: Karl MacMillan; +Cc: Joshua Brindle, Yuichi Nakamura, selinux
On Mon, 2006-11-20 at 15:04 -0500, Karl MacMillan wrote:
> Joshua Brindle wrote:
> > Karl MacMillan wrote:
> >> Yuichi Nakamura wrote:
> >>> Hi, I looked at the latest policycoreutils code.
> >>> (policycoreutils-1.33.1-9.fc7.src.rpm)
> >>>
> >>> And found strange code, in setsebool.c.
> >>>
> >>> 94 /* Apply (permanent) boolean changes to policy via
> >>> libsemanage */
> >>> 95 static int semanage_set_boolean_list(size_t boolcnt,
> >>> 96 SELboolean * boollist,
> >>> int perm)
> >>> 97 {
> >>> <snip>
> >>> 117 } else if (managed == 0) {
> >>> 118 if (selinux_set_boolean_list(boolcnt,
> >>> boollist, 1) < 0)
> >>> 119 goto err;
> >>> 120 goto out;
> >>> 121 }
> >>>
> >>> Why 3rd arg for selinux_set_boolean_list is "1"?
> >>> Should it be "perm"?
> >>>
> >>
> >> Looks that way to me. Additionally, is it even possible to make
> >> non-permanent change to a boolean via semanage? If not, then this code
> >> path should check for that. Josh?
> >>
> > libsemanage is only responsible for the persistent changes,
>
> That is not how the current setsebool.c code works - see:
>
> if (perm
> && semanage_bool_modify_local(handle, bool_key, boolean) < 0)
> goto err;
>
> Testing confirms that this allows setting non-persistent booleans via
> semanage using setsebool.
>
> sesetbool
> > sets the non-persistent directly, in fact demonstrated by the code
> > snippet above. This does look like a bug and if someone uses setsebool
> > to set a non-persistent boolean on an unmanaged system it appears that
> > it will indeed make it permanent.
> >
>
> What about this:
>
> diff -r 130ab1cdcc3a policycoreutils/setsebool/setsebool.c
> --- a/policycoreutils/setsebool/setsebool.c Thu Nov 16 17:11:37 2006 -0500
> +++ b/policycoreutils/setsebool/setsebool.c Mon Nov 20 15:01:14 2006 -0500
> @@ -115,7 +115,7 @@ static int semanage_set_boolean_list(siz
> goto err;
>
> } else if (managed == 0) {
> - if (selinux_set_boolean_list(boolcnt, boollist, 1) < 0)
> + if (selinux_set_boolean_list(boolcnt, boollist, perm) < 0)
> goto err;
> goto out;
> }
>
> Signed-off-by Karl MacMillan <kmacmillan@mentalrootkit.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2006-11-20 20:10 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-11-20 9:02 Question about setsebool.c Yuichi Nakamura
2006-11-20 16:01 ` Karl MacMillan
2006-11-20 18:39 ` Joshua Brindle
2006-11-20 19:59 ` Stephen Smalley
2006-11-20 20:04 ` Karl MacMillan
2006-11-20 20:10 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.