Minor change to getsebool.

Minor change to getsebool.

[Daniel J Walsh]

Should be non fatail when executing getsebool -a.  I am starting to 
label the booleans and
different user roles will only be able to manipulate certain booleans.

So we need to change

getsebool -a will only show booleans that domain can manipulate.
Currenly it will report the errrors that it can not read.  We can either 
add a qualifier to silence these or a new option to get only the list of 
the ones I can manipulate.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Minor change to getsebool.

[Stephen Smalley]

On Thu, 2007-03-08 at 11:12 -0500, Daniel J Walsh wrote:
> Should be non fatail when executing getsebool -a.  I am starting to 
> label the booleans and
> different user roles will only be able to manipulate certain booleans.
> 
> So we need to change
> 
> getsebool -a will only show booleans that domain can manipulate.
> Currenly it will report the errrors that it can not read.  We can either 
> add a qualifier to silence these or a new option to get only the list of 
> the ones I can manipulate.

Actually, I'd tend to think we could just silence them by default if
errno is EACCES.

One other possible change to getsebool would be to make it fully
equivalent to setsebool, i.e. add a -P option and have it query
libsemanage to get persistent boolean settings in that case.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Minor change to getsebool.

[Daniel J Walsh]

Stephen Smalley wrote:
> On Thu, 2007-03-08 at 11:12 -0500, Daniel J Walsh wrote:
>   
>> Should be non fatail when executing getsebool -a.  I am starting to 
>> label the booleans and
>> different user roles will only be able to manipulate certain booleans.
>>
>> So we need to change
>>
>> getsebool -a will only show booleans that domain can manipulate.
>> Currenly it will report the errrors that it can not read.  We can either 
>> add a qualifier to silence these or a new option to get only the list of 
>> the ones I can manipulate.
>>     
>
> Actually, I'd tend to think we could just silence them by default if
> errno is EACCES.
>
> One other possible change to getsebool would be to make it fully
> equivalent to setsebool, i.e. add a -P option and have it query
> libsemanage to get persistent boolean settings in that case.
>
>   
Then it needs to move from libselinux to policycoreutils.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Minor change to getsebool.

[Stephen Smalley]

On Thu, 2007-03-08 at 11:28 -0500, Daniel J Walsh wrote:
> Stephen Smalley wrote:
> > On Thu, 2007-03-08 at 11:12 -0500, Daniel J Walsh wrote:
> >   
> >> Should be non fatail when executing getsebool -a.  I am starting to 
> >> label the booleans and
> >> different user roles will only be able to manipulate certain booleans.
> >>
> >> So we need to change
> >>
> >> getsebool -a will only show booleans that domain can manipulate.
> >> Currenly it will report the errrors that it can not read.  We can either 
> >> add a qualifier to silence these or a new option to get only the list of 
> >> the ones I can manipulate.
> >>     
> >
> > Actually, I'd tend to think we could just silence them by default if
> > errno is EACCES.
> >
> > One other possible change to getsebool would be to make it fully
> > equivalent to setsebool, i.e. add a -P option and have it query
> > libsemanage to get persistent boolean settings in that case.
> >
> >   
> Then it needs to move from libselinux to policycoreutils.

Yes, that would be fine.  Yet another possible change that has come up
before is a way to export this kind of data in a form that can be easily
imported elsewhere, e.g.
	getsebool -P -a --export bools
	setsebool -P --import bools

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Minor change to getsebool.

[Christopher J. PeBenito]

On Thu, 2007-03-08 at 11:12 -0500, Daniel J Walsh wrote:
> I am starting to label the booleans and different user roles will only
> be able to manipulate certain booleans.

This brings up a problem.  I'm trying to move booleans/tunables that
only are used in a single module back into that module (see the
booleans-modules branch of refpolicy).  The problem is that genfscon
doesn't currently work in modules.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Minor change to getsebool.

[Daniel J Walsh]

Christopher J. PeBenito wrote:
> On Thu, 2007-03-08 at 11:12 -0500, Daniel J Walsh wrote:
>   
>> I am starting to label the booleans and different user roles will only
>> be able to manipulate certain booleans.
>>     
>
> This brings up a problem.  I'm trying to move booleans/tunables that
> only are used in a single module back into that module (see the
> booleans-modules branch of refpolicy).  The problem is that genfscon
> doesn't currently work in modules.
>
>   
Yes this is a huge problem, since I would like to be able to label each 
boolean separately and then use attributes to control access.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Minor change to getsebool.

[Russell Coker]

On Friday 09 March 2007 03:19, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> > getsebool -a will only show booleans that domain can manipulate.
> > Currenly it will report the errrors that it can not read.  We can either
> > add a qualifier to silence these or a new option to get only the list of
> > the ones I can manipulate.
>
> Actually, I'd tend to think we could just silence them by default if
> errno is EACCES.

I think it's good for "getsebool -a" to silently ignore such things.  
But "getsebool foo" should display an error if it can't read foo.

> One other possible change to getsebool would be to make it fully
> equivalent to setsebool, i.e. add a -P option and have it query
> libsemanage to get persistent boolean settings in that case.

Makes sense.

-- 
russell@coker.com.au
http://etbe.blogspot.com/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.