* Question about setsebool.c
@ 2006-11-20 9:02 Yuichi Nakamura
2006-11-20 16:01 ` Karl MacMillan
0 siblings, 1 reply; 6+ messages in thread
From: Yuichi Nakamura @ 2006-11-20 9:02 UTC (permalink / raw)
To: selinux; +Cc: ynakam
Hi, I looked at the latest policycoreutils code.
(policycoreutils-1.33.1-9.fc7.src.rpm)
And found strange code, in setsebool.c.
94 /* Apply (permanent) boolean changes to policy via libsemanage */
95 static int semanage_set_boolean_list(size_t boolcnt,
96 SELboolean * boollist, int perm)
97 {
<snip>
117 } else if (managed == 0) {
118 if (selinux_set_boolean_list(boolcnt, boollist, 1) < 0)
119 goto err;
120 goto out;
121 }
Why 3rd arg for selinux_set_boolean_list is "1"?
Should it be "perm"?
Yuichi Nakamura
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: Question about setsebool.c 2006-11-20 9:02 Question about setsebool.c Yuichi Nakamura @ 2006-11-20 16:01 ` Karl MacMillan 2006-11-20 18:39 ` Joshua Brindle 0 siblings, 1 reply; 6+ messages in thread From: Karl MacMillan @ 2006-11-20 16:01 UTC (permalink / raw) To: Yuichi Nakamura; +Cc: selinux Yuichi Nakamura wrote: > Hi, I looked at the latest policycoreutils code. > (policycoreutils-1.33.1-9.fc7.src.rpm) > > And found strange code, in setsebool.c. > > 94 /* Apply (permanent) boolean changes to policy via libsemanage */ > 95 static int semanage_set_boolean_list(size_t boolcnt, > 96 SELboolean * boollist, int perm) > 97 { > <snip> > 117 } else if (managed == 0) { > 118 if (selinux_set_boolean_list(boolcnt, boollist, 1) < 0) > 119 goto err; > 120 goto out; > 121 } > > Why 3rd arg for selinux_set_boolean_list is "1"? > Should it be "perm"? > Looks that way to me. Additionally, is it even possible to make non-permanent change to a boolean via semanage? If not, then this code path should check for that. Josh? Karl -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Question about setsebool.c 2006-11-20 16:01 ` Karl MacMillan @ 2006-11-20 18:39 ` Joshua Brindle 2006-11-20 19:59 ` Stephen Smalley 2006-11-20 20:04 ` Karl MacMillan 0 siblings, 2 replies; 6+ messages in thread From: Joshua Brindle @ 2006-11-20 18:39 UTC (permalink / raw) To: Karl MacMillan; +Cc: Yuichi Nakamura, selinux Karl MacMillan wrote: > Yuichi Nakamura wrote: >> Hi, I looked at the latest policycoreutils code. >> (policycoreutils-1.33.1-9.fc7.src.rpm) >> >> And found strange code, in setsebool.c. >> >> 94 /* Apply (permanent) boolean changes to policy via >> libsemanage */ >> 95 static int semanage_set_boolean_list(size_t boolcnt, >> 96 SELboolean * boollist, >> int perm) >> 97 { >> <snip> >> 117 } else if (managed == 0) { >> 118 if (selinux_set_boolean_list(boolcnt, >> boollist, 1) < 0) >> 119 goto err; >> 120 goto out; >> 121 } >> >> Why 3rd arg for selinux_set_boolean_list is "1"? >> Should it be "perm"? >> > > Looks that way to me. Additionally, is it even possible to make > non-permanent change to a boolean via semanage? If not, then this code > path should check for that. Josh? > libsemanage is only responsible for the persistent changes, sesetbool sets the non-persistent directly, in fact demonstrated by the code snippet above. This does look like a bug and if someone uses setsebool to set a non-persistent boolean on an unmanaged system it appears that it will indeed make it permanent. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Question about setsebool.c 2006-11-20 18:39 ` Joshua Brindle @ 2006-11-20 19:59 ` Stephen Smalley 2006-11-20 20:04 ` Karl MacMillan 1 sibling, 0 replies; 6+ messages in thread From: Stephen Smalley @ 2006-11-20 19:59 UTC (permalink / raw) To: Joshua Brindle; +Cc: Karl MacMillan, Yuichi Nakamura, selinux On Mon, 2006-11-20 at 13:39 -0500, Joshua Brindle wrote: > Karl MacMillan wrote: > > Yuichi Nakamura wrote: > >> Hi, I looked at the latest policycoreutils code. > >> (policycoreutils-1.33.1-9.fc7.src.rpm) > >> > >> And found strange code, in setsebool.c. > >> > >> 94 /* Apply (permanent) boolean changes to policy via > >> libsemanage */ > >> 95 static int semanage_set_boolean_list(size_t boolcnt, > >> 96 SELboolean * boollist, > >> int perm) > >> 97 { > >> <snip> > >> 117 } else if (managed == 0) { > >> 118 if (selinux_set_boolean_list(boolcnt, > >> boollist, 1) < 0) > >> 119 goto err; > >> 120 goto out; > >> 121 } > >> > >> Why 3rd arg for selinux_set_boolean_list is "1"? > >> Should it be "perm"? > >> > > > > Looks that way to me. Additionally, is it even possible to make > > non-permanent change to a boolean via semanage? If not, then this code > > path should check for that. Josh? > > > libsemanage is only responsible for the persistent changes, sesetbool > sets the non-persistent directly, in fact demonstrated by the code > snippet above. This does look like a bug and if someone uses setsebool > to set a non-persistent boolean on an unmanaged system it appears that > it will indeed make it permanent. Point of clarification - if policy is managed, libsemanage does handle non-persistent booleans as well (the _active interfaces). But I agree that the above appears to be a bug in the unmanaged case. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Question about setsebool.c 2006-11-20 18:39 ` Joshua Brindle 2006-11-20 19:59 ` Stephen Smalley @ 2006-11-20 20:04 ` Karl MacMillan 2006-11-20 20:10 ` Stephen Smalley 1 sibling, 1 reply; 6+ messages in thread From: Karl MacMillan @ 2006-11-20 20:04 UTC (permalink / raw) To: Joshua Brindle; +Cc: Yuichi Nakamura, selinux Joshua Brindle wrote: > Karl MacMillan wrote: >> Yuichi Nakamura wrote: >>> Hi, I looked at the latest policycoreutils code. >>> (policycoreutils-1.33.1-9.fc7.src.rpm) >>> >>> And found strange code, in setsebool.c. >>> >>> 94 /* Apply (permanent) boolean changes to policy via >>> libsemanage */ >>> 95 static int semanage_set_boolean_list(size_t boolcnt, >>> 96 SELboolean * boollist, >>> int perm) >>> 97 { >>> <snip> >>> 117 } else if (managed == 0) { >>> 118 if (selinux_set_boolean_list(boolcnt, >>> boollist, 1) < 0) >>> 119 goto err; >>> 120 goto out; >>> 121 } >>> >>> Why 3rd arg for selinux_set_boolean_list is "1"? >>> Should it be "perm"? >>> >> >> Looks that way to me. Additionally, is it even possible to make >> non-permanent change to a boolean via semanage? If not, then this code >> path should check for that. Josh? >> > libsemanage is only responsible for the persistent changes, That is not how the current setsebool.c code works - see: if (perm && semanage_bool_modify_local(handle, bool_key, boolean) < 0) goto err; Testing confirms that this allows setting non-persistent booleans via semanage using setsebool. sesetbool > sets the non-persistent directly, in fact demonstrated by the code > snippet above. This does look like a bug and if someone uses setsebool > to set a non-persistent boolean on an unmanaged system it appears that > it will indeed make it permanent. > What about this: diff -r 130ab1cdcc3a policycoreutils/setsebool/setsebool.c --- a/policycoreutils/setsebool/setsebool.c Thu Nov 16 17:11:37 2006 -0500 +++ b/policycoreutils/setsebool/setsebool.c Mon Nov 20 15:01:14 2006 -0500 @@ -115,7 +115,7 @@ static int semanage_set_boolean_list(siz goto err; } else if (managed == 0) { - if (selinux_set_boolean_list(boolcnt, boollist, 1) < 0) + if (selinux_set_boolean_list(boolcnt, boollist, perm) < 0) goto err; goto out; } Signed-off-by Karl MacMillan <kmacmillan@mentalrootkit.com> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Question about setsebool.c 2006-11-20 20:04 ` Karl MacMillan @ 2006-11-20 20:10 ` Stephen Smalley 0 siblings, 0 replies; 6+ messages in thread From: Stephen Smalley @ 2006-11-20 20:10 UTC (permalink / raw) To: Karl MacMillan; +Cc: Joshua Brindle, Yuichi Nakamura, selinux On Mon, 2006-11-20 at 15:04 -0500, Karl MacMillan wrote: > Joshua Brindle wrote: > > Karl MacMillan wrote: > >> Yuichi Nakamura wrote: > >>> Hi, I looked at the latest policycoreutils code. > >>> (policycoreutils-1.33.1-9.fc7.src.rpm) > >>> > >>> And found strange code, in setsebool.c. > >>> > >>> 94 /* Apply (permanent) boolean changes to policy via > >>> libsemanage */ > >>> 95 static int semanage_set_boolean_list(size_t boolcnt, > >>> 96 SELboolean * boollist, > >>> int perm) > >>> 97 { > >>> <snip> > >>> 117 } else if (managed == 0) { > >>> 118 if (selinux_set_boolean_list(boolcnt, > >>> boollist, 1) < 0) > >>> 119 goto err; > >>> 120 goto out; > >>> 121 } > >>> > >>> Why 3rd arg for selinux_set_boolean_list is "1"? > >>> Should it be "perm"? > >>> > >> > >> Looks that way to me. Additionally, is it even possible to make > >> non-permanent change to a boolean via semanage? If not, then this code > >> path should check for that. Josh? > >> > > libsemanage is only responsible for the persistent changes, > > That is not how the current setsebool.c code works - see: > > if (perm > && semanage_bool_modify_local(handle, bool_key, boolean) < 0) > goto err; > > Testing confirms that this allows setting non-persistent booleans via > semanage using setsebool. > > sesetbool > > sets the non-persistent directly, in fact demonstrated by the code > > snippet above. This does look like a bug and if someone uses setsebool > > to set a non-persistent boolean on an unmanaged system it appears that > > it will indeed make it permanent. > > > > What about this: > > diff -r 130ab1cdcc3a policycoreutils/setsebool/setsebool.c > --- a/policycoreutils/setsebool/setsebool.c Thu Nov 16 17:11:37 2006 -0500 > +++ b/policycoreutils/setsebool/setsebool.c Mon Nov 20 15:01:14 2006 -0500 > @@ -115,7 +115,7 @@ static int semanage_set_boolean_list(siz > goto err; > > } else if (managed == 0) { > - if (selinux_set_boolean_list(boolcnt, boollist, 1) < 0) > + if (selinux_set_boolean_list(boolcnt, boollist, perm) < 0) > goto err; > goto out; > } > > Signed-off-by Karl MacMillan <kmacmillan@mentalrootkit.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2006-11-20 20:10 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2006-11-20 9:02 Question about setsebool.c Yuichi Nakamura 2006-11-20 16:01 ` Karl MacMillan 2006-11-20 18:39 ` Joshua Brindle 2006-11-20 19:59 ` Stephen Smalley 2006-11-20 20:04 ` Karl MacMillan 2006-11-20 20:10 ` Stephen Smalley
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.