* [PATCH] Fix semanage_direct_commit() to notice disable_dontaudit
@ 2009-08-20 18:29 Chad Sellers
2009-08-28 14:16 ` Joshua Brindle
2009-08-31 12:22 ` Shintaro Fujiwara
0 siblings, 2 replies; 7+ messages in thread
From: Chad Sellers @ 2009-08-20 18:29 UTC (permalink / raw)
To: selinux; +Cc: dwalsh, jbrindle, Chad Sellers
Add code to semanage_direct_commit() to notice that the disable_dontaudit
flag has been changed and rebuild the policy if so.
Currently, libsemanage doesn't notice that the disable_dontaudit flag is
set so it does not rebuild the policy. semodule got around this by calling
semanage_set_rebuild() explicitly, but libsemanage should really notice
that this has changed and rebuild appropriately.
---
libsemanage/src/direct_api.c | 7 ++++++-
1 files changed, 6 insertions(+), 1 deletions(-)
diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
index d563841..0eab399 100644
--- a/libsemanage/src/direct_api.c
+++ b/libsemanage/src/direct_api.c
@@ -675,7 +675,7 @@ static int semanage_direct_commit(semanage_handle_t * sh)
/* Declare some variables */
int modified = 0, fcontexts_modified, ports_modified,
- seusers_modified, users_extra_modified;
+ seusers_modified, users_extra_modified, dontaudit_modified;
dbase_config_t *users = semanage_user_dbase_local(sh);
dbase_config_t *users_base = semanage_user_base_dbase_local(sh);
dbase_config_t *pusers_base = semanage_user_base_dbase_policy(sh);
@@ -694,6 +694,10 @@ static int semanage_direct_commit(semanage_handle_t * sh)
/* Create or remove the disable_dontaudit flag file. */
path = semanage_path(SEMANAGE_TMP, SEMANAGE_DISABLE_DONTAUDIT);
+ if (access(path, F_OK) == 0)
+ dontaudit_modified = !(sepol_get_disable_dontaudit(sh->sepolh) == 1);
+ else
+ dontaudit_modified = (sepol_get_disable_dontaudit(sh->sepolh) == 1);
if (sepol_get_disable_dontaudit(sh->sepolh) == 1) {
FILE *touch;
touch = fopen(path, "w");
@@ -734,6 +738,7 @@ static int semanage_direct_commit(semanage_handle_t * sh)
modified |= bools->dtable->is_modified(bools->dbase);
modified |= ifaces->dtable->is_modified(ifaces->dbase);
modified |= nodes->dtable->is_modified(nodes->dbase);
+ modified |= dontaudit_modified;
/* If there were policy changes, or explicitly requested, rebuild the policy */
if (sh->do_rebuild || modified) {
--
1.6.2.5
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply related [flat|nested] 7+ messages in thread* Re: [PATCH] Fix semanage_direct_commit() to notice disable_dontaudit
2009-08-20 18:29 [PATCH] Fix semanage_direct_commit() to notice disable_dontaudit Chad Sellers
@ 2009-08-28 14:16 ` Joshua Brindle
2009-08-31 12:22 ` Shintaro Fujiwara
1 sibling, 0 replies; 7+ messages in thread
From: Joshua Brindle @ 2009-08-28 14:16 UTC (permalink / raw)
To: Chad Sellers; +Cc: selinux, dwalsh, jbrindle
Chad Sellers wrote:
> Add code to semanage_direct_commit() to notice that the disable_dontaudit
> flag has been changed and rebuild the policy if so.
>
> Currently, libsemanage doesn't notice that the disable_dontaudit flag is
> set so it does not rebuild the policy. semodule got around this by calling
> semanage_set_rebuild() explicitly, but libsemanage should really notice
> that this has changed and rebuild appropriately.
> ---
nit: I'd rather have a flag in memory that says it changed than probing the
filesystem over and over, but that is just my personal preference.
Acked-By: Joshua Brindle <method@manicmethod.com>
> libsemanage/src/direct_api.c | 7 ++++++-
> 1 files changed, 6 insertions(+), 1 deletions(-)
>
> diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
> index d563841..0eab399 100644
> --- a/libsemanage/src/direct_api.c
> +++ b/libsemanage/src/direct_api.c
> @@ -675,7 +675,7 @@ static int semanage_direct_commit(semanage_handle_t * sh)
>
> /* Declare some variables */
> int modified = 0, fcontexts_modified, ports_modified,
> - seusers_modified, users_extra_modified;
> + seusers_modified, users_extra_modified, dontaudit_modified;
> dbase_config_t *users = semanage_user_dbase_local(sh);
> dbase_config_t *users_base = semanage_user_base_dbase_local(sh);
> dbase_config_t *pusers_base = semanage_user_base_dbase_policy(sh);
> @@ -694,6 +694,10 @@ static int semanage_direct_commit(semanage_handle_t * sh)
>
> /* Create or remove the disable_dontaudit flag file. */
> path = semanage_path(SEMANAGE_TMP, SEMANAGE_DISABLE_DONTAUDIT);
> + if (access(path, F_OK) == 0)
> + dontaudit_modified = !(sepol_get_disable_dontaudit(sh->sepolh) == 1);
> + else
> + dontaudit_modified = (sepol_get_disable_dontaudit(sh->sepolh) == 1);
> if (sepol_get_disable_dontaudit(sh->sepolh) == 1) {
> FILE *touch;
> touch = fopen(path, "w");
> @@ -734,6 +738,7 @@ static int semanage_direct_commit(semanage_handle_t * sh)
> modified |= bools->dtable->is_modified(bools->dbase);
> modified |= ifaces->dtable->is_modified(ifaces->dbase);
> modified |= nodes->dtable->is_modified(nodes->dbase);
> + modified |= dontaudit_modified;
>
> /* If there were policy changes, or explicitly requested, rebuild the policy */
> if (sh->do_rebuild || modified) {
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [PATCH] Fix semanage_direct_commit() to notice disable_dontaudit
2009-08-20 18:29 [PATCH] Fix semanage_direct_commit() to notice disable_dontaudit Chad Sellers
2009-08-28 14:16 ` Joshua Brindle
@ 2009-08-31 12:22 ` Shintaro Fujiwara
2009-08-31 12:30 ` Daniel J Walsh
1 sibling, 1 reply; 7+ messages in thread
From: Shintaro Fujiwara @ 2009-08-31 12:22 UTC (permalink / raw)
To: Chad Sellers, selinux, Daniel J Walsh, method
Thanks digging in topic that I pinted some time ago.
Why don't you fix semodule to notice which module has permissive.
I notice administrators in my program, i.e. segatex, when listing
modules, list permissive modules.
We tend to forget after we set some module permissive and it's quite
convenient to set permissive when we get certain denied messages, but
it's sad when we forgot we set certain module permissive.
So, I think it's better to let administrators know which module has
permissive module now when he typed "semodule -l ".
Can anybody fix semodule to echo permissive module at the top and
still echo list ?
2009/8/21 Chad Sellers <csellers@tresys.com>:
> Add code to semanage_direct_commit() to notice that the disable_dontaudit
> flag has been changed and rebuild the policy if so.
>
> Currently, libsemanage doesn't notice that the disable_dontaudit flag is
> set so it does not rebuild the policy. semodule got around this by calling
> semanage_set_rebuild() explicitly, but libsemanage should really notice
> that this has changed and rebuild appropriately.
> ---
> libsemanage/src/direct_api.c | 7 ++++++-
> 1 files changed, 6 insertions(+), 1 deletions(-)
>
> diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
> index d563841..0eab399 100644
> --- a/libsemanage/src/direct_api.c
> +++ b/libsemanage/src/direct_api.c
> @@ -675,7 +675,7 @@ static int semanage_direct_commit(semanage_handle_t * sh)
>
> /* Declare some variables */
> int modified = 0, fcontexts_modified, ports_modified,
> - seusers_modified, users_extra_modified;
> + seusers_modified, users_extra_modified, dontaudit_modified;
> dbase_config_t *users = semanage_user_dbase_local(sh);
> dbase_config_t *users_base = semanage_user_base_dbase_local(sh);
> dbase_config_t *pusers_base = semanage_user_base_dbase_policy(sh);
> @@ -694,6 +694,10 @@ static int semanage_direct_commit(semanage_handle_t * sh)
>
> /* Create or remove the disable_dontaudit flag file. */
> path = semanage_path(SEMANAGE_TMP, SEMANAGE_DISABLE_DONTAUDIT);
> + if (access(path, F_OK) == 0)
> + dontaudit_modified = !(sepol_get_disable_dontaudit(sh->sepolh) == 1);
> + else
> + dontaudit_modified = (sepol_get_disable_dontaudit(sh->sepolh) == 1);
> if (sepol_get_disable_dontaudit(sh->sepolh) == 1) {
> FILE *touch;
> touch = fopen(path, "w");
> @@ -734,6 +738,7 @@ static int semanage_direct_commit(semanage_handle_t * sh)
> modified |= bools->dtable->is_modified(bools->dbase);
> modified |= ifaces->dtable->is_modified(ifaces->dbase);
> modified |= nodes->dtable->is_modified(nodes->dbase);
> + modified |= dontaudit_modified;
>
> /* If there were policy changes, or explicitly requested, rebuild the policy */
> if (sh->do_rebuild || modified) {
> --
> 1.6.2.5
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>
--
http://intrajp.no-ip.com/ Home Page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [PATCH] Fix semanage_direct_commit() to notice disable_dontaudit
2009-08-31 12:22 ` Shintaro Fujiwara
@ 2009-08-31 12:30 ` Daniel J Walsh
2009-08-31 13:02 ` Shintaro Fujiwara
0 siblings, 1 reply; 7+ messages in thread
From: Daniel J Walsh @ 2009-08-31 12:30 UTC (permalink / raw)
To: Shintaro Fujiwara; +Cc: Chad Sellers, selinux, method
On 08/31/2009 08:22 AM, Shintaro Fujiwara wrote:
> Thanks digging in topic that I pinted some time ago.
>
> Why don't you fix semodule to notice which module has permissive.
>
> I notice administrators in my program, i.e. segatex, when listing
> modules, list permissive modules.
>
> We tend to forget after we set some module permissive and it's quite
> convenient to set permissive when we get certain denied messages, but
> it's sad when we forgot we set certain module permissive.
>
> So, I think it's better to let administrators know which module has
> permissive module now when he typed "semodule -l ".
>
> Can anybody fix semodule to echo permissive module at the top and
> still echo list ?
>
>
> 2009/8/21 Chad Sellers <csellers@tresys.com>:
>> Add code to semanage_direct_commit() to notice that the disable_dontaudit
>> flag has been changed and rebuild the policy if so.
>>
>> Currently, libsemanage doesn't notice that the disable_dontaudit flag is
>> set so it does not rebuild the policy. semodule got around this by calling
>> semanage_set_rebuild() explicitly, but libsemanage should really notice
>> that this has changed and rebuild appropriately.
>> ---
>> libsemanage/src/direct_api.c | 7 ++++++-
>> 1 files changed, 6 insertions(+), 1 deletions(-)
>>
>> diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
>> index d563841..0eab399 100644
>> --- a/libsemanage/src/direct_api.c
>> +++ b/libsemanage/src/direct_api.c
>> @@ -675,7 +675,7 @@ static int semanage_direct_commit(semanage_handle_t * sh)
>>
>> /* Declare some variables */
>> int modified = 0, fcontexts_modified, ports_modified,
>> - seusers_modified, users_extra_modified;
>> + seusers_modified, users_extra_modified, dontaudit_modified;
>> dbase_config_t *users = semanage_user_dbase_local(sh);
>> dbase_config_t *users_base = semanage_user_base_dbase_local(sh);
>> dbase_config_t *pusers_base = semanage_user_base_dbase_policy(sh);
>> @@ -694,6 +694,10 @@ static int semanage_direct_commit(semanage_handle_t * sh)
>>
>> /* Create or remove the disable_dontaudit flag file. */
>> path = semanage_path(SEMANAGE_TMP, SEMANAGE_DISABLE_DONTAUDIT);
>> + if (access(path, F_OK) == 0)
>> + dontaudit_modified = !(sepol_get_disable_dontaudit(sh->sepolh) == 1);
>> + else
>> + dontaudit_modified = (sepol_get_disable_dontaudit(sh->sepolh) == 1);
>> if (sepol_get_disable_dontaudit(sh->sepolh) == 1) {
>> FILE *touch;
>> touch = fopen(path, "w");
>> @@ -734,6 +738,7 @@ static int semanage_direct_commit(semanage_handle_t * sh)
>> modified |= bools->dtable->is_modified(bools->dbase);
>> modified |= ifaces->dtable->is_modified(ifaces->dbase);
>> modified |= nodes->dtable->is_modified(nodes->dbase);
>> + modified |= dontaudit_modified;
>>
>> /* If there were policy changes, or explicitly requested, rebuild the policy */
>> if (sh->do_rebuild || modified) {
>> --
>> 1.6.2.5
>>
>>
>> --
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>> the words "unsubscribe selinux" without quotes as the message.
>>
>
>
>
seinfo --permissive
Will do this.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [PATCH] Fix semanage_direct_commit() to notice disable_dontaudit
2009-08-31 12:30 ` Daniel J Walsh
@ 2009-08-31 13:02 ` Shintaro Fujiwara
2009-08-31 14:02 ` Daniel J Walsh
0 siblings, 1 reply; 7+ messages in thread
From: Shintaro Fujiwara @ 2009-08-31 13:02 UTC (permalink / raw)
To: Daniel J Walsh, Chad Sellers, method, selinux
Well, in F11 I typed,
seinfo --permissive but got an error...
I basically understand that I should take care of permissive module, though.
2009/8/31 Daniel J Walsh <dwalsh@redhat.com>:
> On 08/31/2009 08:22 AM, Shintaro Fujiwara wrote:
>> Thanks digging in topic that I pinted some time ago.
>>
>> Why don't you fix semodule to notice which module has permissive.
>>
>> I notice administrators in my program, i.e. segatex, when listing
>> modules, list permissive modules.
>>
>> We tend to forget after we set some module permissive and it's quite
>> convenient to set permissive when we get certain denied messages, but
>> it's sad when we forgot we set certain module permissive.
>>
>> So, I think it's better to let administrators know which module has
>> permissive module now when he typed "semodule -l ".
>>
>> Can anybody fix semodule to echo permissive module at the top and
>> still echo list ?
>>
>>
>> 2009/8/21 Chad Sellers <csellers@tresys.com>:
>>> Add code to semanage_direct_commit() to notice that the disable_dontaudit
>>> flag has been changed and rebuild the policy if so.
>>>
>>> Currently, libsemanage doesn't notice that the disable_dontaudit flag is
>>> set so it does not rebuild the policy. semodule got around this by calling
>>> semanage_set_rebuild() explicitly, but libsemanage should really notice
>>> that this has changed and rebuild appropriately.
>>> ---
>>> libsemanage/src/direct_api.c | 7 ++++++-
>>> 1 files changed, 6 insertions(+), 1 deletions(-)
>>>
>>> diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
>>> index d563841..0eab399 100644
>>> --- a/libsemanage/src/direct_api.c
>>> +++ b/libsemanage/src/direct_api.c
>>> @@ -675,7 +675,7 @@ static int semanage_direct_commit(semanage_handle_t * sh)
>>>
>>> /* Declare some variables */
>>> int modified = 0, fcontexts_modified, ports_modified,
>>> - seusers_modified, users_extra_modified;
>>> + seusers_modified, users_extra_modified, dontaudit_modified;
>>> dbase_config_t *users = semanage_user_dbase_local(sh);
>>> dbase_config_t *users_base = semanage_user_base_dbase_local(sh);
>>> dbase_config_t *pusers_base = semanage_user_base_dbase_policy(sh);
>>> @@ -694,6 +694,10 @@ static int semanage_direct_commit(semanage_handle_t * sh)
>>>
>>> /* Create or remove the disable_dontaudit flag file. */
>>> path = semanage_path(SEMANAGE_TMP, SEMANAGE_DISABLE_DONTAUDIT);
>>> + if (access(path, F_OK) == 0)
>>> + dontaudit_modified = !(sepol_get_disable_dontaudit(sh->sepolh) == 1);
>>> + else
>>> + dontaudit_modified = (sepol_get_disable_dontaudit(sh->sepolh) == 1);
>>> if (sepol_get_disable_dontaudit(sh->sepolh) == 1) {
>>> FILE *touch;
>>> touch = fopen(path, "w");
>>> @@ -734,6 +738,7 @@ static int semanage_direct_commit(semanage_handle_t * sh)
>>> modified |= bools->dtable->is_modified(bools->dbase);
>>> modified |= ifaces->dtable->is_modified(ifaces->dbase);
>>> modified |= nodes->dtable->is_modified(nodes->dbase);
>>> + modified |= dontaudit_modified;
>>>
>>> /* If there were policy changes, or explicitly requested, rebuild the policy */
>>> if (sh->do_rebuild || modified) {
>>> --
>>> 1.6.2.5
>>>
>>>
>>> --
>>> This message was distributed to subscribers of the selinux mailing list.
>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>>> the words "unsubscribe selinux" without quotes as the message.
>>>
>>
>>
>>
> seinfo --permissive
>
> Will do this.
>
--
http://intrajp.no-ip.com/ Home Page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [PATCH] Fix semanage_direct_commit() to notice disable_dontaudit
2009-08-31 13:02 ` Shintaro Fujiwara
@ 2009-08-31 14:02 ` Daniel J Walsh
2009-08-31 20:51 ` Shintaro Fujiwara
0 siblings, 1 reply; 7+ messages in thread
From: Daniel J Walsh @ 2009-08-31 14:02 UTC (permalink / raw)
To: Shintaro Fujiwara; +Cc: Chad Sellers, method, selinux
On 08/31/2009 09:02 AM, Shintaro Fujiwara wrote:
> Well, in F11 I typed,
>
> seinfo --permissive but got an error...
>
> I basically understand that I should take care of permissive module, though.
>
>
Yes this is in Rawhide/F12
>
> 2009/8/31 Daniel J Walsh <dwalsh@redhat.com>:
>> On 08/31/2009 08:22 AM, Shintaro Fujiwara wrote:
>>> Thanks digging in topic that I pinted some time ago.
>>>
>>> Why don't you fix semodule to notice which module has permissive.
>>>
>>> I notice administrators in my program, i.e. segatex, when listing
>>> modules, list permissive modules.
>>>
>>> We tend to forget after we set some module permissive and it's quite
>>> convenient to set permissive when we get certain denied messages, but
>>> it's sad when we forgot we set certain module permissive.
>>>
>>> So, I think it's better to let administrators know which module has
>>> permissive module now when he typed "semodule -l ".
>>>
>>> Can anybody fix semodule to echo permissive module at the top and
>>> still echo list ?
>>>
>>>
>>> 2009/8/21 Chad Sellers <csellers@tresys.com>:
>>>> Add code to semanage_direct_commit() to notice that the disable_dontaudit
>>>> flag has been changed and rebuild the policy if so.
>>>>
>>>> Currently, libsemanage doesn't notice that the disable_dontaudit flag is
>>>> set so it does not rebuild the policy. semodule got around this by calling
>>>> semanage_set_rebuild() explicitly, but libsemanage should really notice
>>>> that this has changed and rebuild appropriately.
>>>> ---
>>>> libsemanage/src/direct_api.c | 7 ++++++-
>>>> 1 files changed, 6 insertions(+), 1 deletions(-)
>>>>
>>>> diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
>>>> index d563841..0eab399 100644
>>>> --- a/libsemanage/src/direct_api.c
>>>> +++ b/libsemanage/src/direct_api.c
>>>> @@ -675,7 +675,7 @@ static int semanage_direct_commit(semanage_handle_t * sh)
>>>>
>>>> /* Declare some variables */
>>>> int modified = 0, fcontexts_modified, ports_modified,
>>>> - seusers_modified, users_extra_modified;
>>>> + seusers_modified, users_extra_modified, dontaudit_modified;
>>>> dbase_config_t *users = semanage_user_dbase_local(sh);
>>>> dbase_config_t *users_base = semanage_user_base_dbase_local(sh);
>>>> dbase_config_t *pusers_base = semanage_user_base_dbase_policy(sh);
>>>> @@ -694,6 +694,10 @@ static int semanage_direct_commit(semanage_handle_t * sh)
>>>>
>>>> /* Create or remove the disable_dontaudit flag file. */
>>>> path = semanage_path(SEMANAGE_TMP, SEMANAGE_DISABLE_DONTAUDIT);
>>>> + if (access(path, F_OK) == 0)
>>>> + dontaudit_modified = !(sepol_get_disable_dontaudit(sh->sepolh) == 1);
>>>> + else
>>>> + dontaudit_modified = (sepol_get_disable_dontaudit(sh->sepolh) == 1);
>>>> if (sepol_get_disable_dontaudit(sh->sepolh) == 1) {
>>>> FILE *touch;
>>>> touch = fopen(path, "w");
>>>> @@ -734,6 +738,7 @@ static int semanage_direct_commit(semanage_handle_t * sh)
>>>> modified |= bools->dtable->is_modified(bools->dbase);
>>>> modified |= ifaces->dtable->is_modified(ifaces->dbase);
>>>> modified |= nodes->dtable->is_modified(nodes->dbase);
>>>> + modified |= dontaudit_modified;
>>>>
>>>> /* If there were policy changes, or explicitly requested, rebuild the policy */
>>>> if (sh->do_rebuild || modified) {
>>>> --
>>>> 1.6.2.5
>>>>
>>>>
>>>> --
>>>> This message was distributed to subscribers of the selinux mailing list.
>>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>>>> the words "unsubscribe selinux" without quotes as the message.
>>>>
>>>
>>>
>>>
>> seinfo --permissive
>>
>> Will do this.
>>
>
>
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [PATCH] Fix semanage_direct_commit() to notice disable_dontaudit
2009-08-31 14:02 ` Daniel J Walsh
@ 2009-08-31 20:51 ` Shintaro Fujiwara
0 siblings, 0 replies; 7+ messages in thread
From: Shintaro Fujiwara @ 2009-08-31 20:51 UTC (permalink / raw)
To: Daniel J Walsh, Chad Sellers, selinux, method
I understand.
Good work.
Thanks.
2009/8/31 Daniel J Walsh <dwalsh@redhat.com>:
> On 08/31/2009 09:02 AM, Shintaro Fujiwara wrote:
>> Well, in F11 I typed,
>>
>> seinfo --permissive but got an error...
>>
>> I basically understand that I should take care of permissive module, though.
>>
>>
> Yes this is in Rawhide/F12
>
>>
>> 2009/8/31 Daniel J Walsh <dwalsh@redhat.com>:
>>> On 08/31/2009 08:22 AM, Shintaro Fujiwara wrote:
>>>> Thanks digging in topic that I pinted some time ago.
>>>>
>>>> Why don't you fix semodule to notice which module has permissive.
>>>>
>>>> I notice administrators in my program, i.e. segatex, when listing
>>>> modules, list permissive modules.
>>>>
>>>> We tend to forget after we set some module permissive and it's quite
>>>> convenient to set permissive when we get certain denied messages, but
>>>> it's sad when we forgot we set certain module permissive.
>>>>
>>>> So, I think it's better to let administrators know which module has
>>>> permissive module now when he typed "semodule -l ".
>>>>
>>>> Can anybody fix semodule to echo permissive module at the top and
>>>> still echo list ?
>>>>
>>>>
>>>> 2009/8/21 Chad Sellers <csellers@tresys.com>:
>>>>> Add code to semanage_direct_commit() to notice that the disable_dontaudit
>>>>> flag has been changed and rebuild the policy if so.
>>>>>
>>>>> Currently, libsemanage doesn't notice that the disable_dontaudit flag is
>>>>> set so it does not rebuild the policy. semodule got around this by calling
>>>>> semanage_set_rebuild() explicitly, but libsemanage should really notice
>>>>> that this has changed and rebuild appropriately.
>>>>> ---
>>>>> libsemanage/src/direct_api.c | 7 ++++++-
>>>>> 1 files changed, 6 insertions(+), 1 deletions(-)
>>>>>
>>>>> diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
>>>>> index d563841..0eab399 100644
>>>>> --- a/libsemanage/src/direct_api.c
>>>>> +++ b/libsemanage/src/direct_api.c
>>>>> @@ -675,7 +675,7 @@ static int semanage_direct_commit(semanage_handle_t * sh)
>>>>>
>>>>> /* Declare some variables */
>>>>> int modified = 0, fcontexts_modified, ports_modified,
>>>>> - seusers_modified, users_extra_modified;
>>>>> + seusers_modified, users_extra_modified, dontaudit_modified;
>>>>> dbase_config_t *users = semanage_user_dbase_local(sh);
>>>>> dbase_config_t *users_base = semanage_user_base_dbase_local(sh);
>>>>> dbase_config_t *pusers_base = semanage_user_base_dbase_policy(sh);
>>>>> @@ -694,6 +694,10 @@ static int semanage_direct_commit(semanage_handle_t * sh)
>>>>>
>>>>> /* Create or remove the disable_dontaudit flag file. */
>>>>> path = semanage_path(SEMANAGE_TMP, SEMANAGE_DISABLE_DONTAUDIT);
>>>>> + if (access(path, F_OK) == 0)
>>>>> + dontaudit_modified = !(sepol_get_disable_dontaudit(sh->sepolh) == 1);
>>>>> + else
>>>>> + dontaudit_modified = (sepol_get_disable_dontaudit(sh->sepolh) == 1);
>>>>> if (sepol_get_disable_dontaudit(sh->sepolh) == 1) {
>>>>> FILE *touch;
>>>>> touch = fopen(path, "w");
>>>>> @@ -734,6 +738,7 @@ static int semanage_direct_commit(semanage_handle_t * sh)
>>>>> modified |= bools->dtable->is_modified(bools->dbase);
>>>>> modified |= ifaces->dtable->is_modified(ifaces->dbase);
>>>>> modified |= nodes->dtable->is_modified(nodes->dbase);
>>>>> + modified |= dontaudit_modified;
>>>>>
>>>>> /* If there were policy changes, or explicitly requested, rebuild the policy */
>>>>> if (sh->do_rebuild || modified) {
>>>>> --
>>>>> 1.6.2.5
>>>>>
>>>>>
>>>>> --
>>>>> This message was distributed to subscribers of the selinux mailing list.
>>>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>>>>> the words "unsubscribe selinux" without quotes as the message.
>>>>>
>>>>
>>>>
>>>>
>>> seinfo --permissive
>>>
>>> Will do this.
>>>
>>
>>
>>
>
>
--
http://intrajp.no-ip.com/ Home Page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2009-08-31 20:51 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-08-20 18:29 [PATCH] Fix semanage_direct_commit() to notice disable_dontaudit Chad Sellers
2009-08-28 14:16 ` Joshua Brindle
2009-08-31 12:22 ` Shintaro Fujiwara
2009-08-31 12:30 ` Daniel J Walsh
2009-08-31 13:02 ` Shintaro Fujiwara
2009-08-31 14:02 ` Daniel J Walsh
2009-08-31 20:51 ` Shintaro Fujiwara
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.