semanage: should -a imply -m?

All of lore.kernel.org
 help / color / mirror / Atom feed

* semanage: should -a imply -m?
@ 2012-09-28 19:18 Eric Paris
  2012-09-29 12:39 ` Sutton, Harry (GSE)
  0 siblings, 1 reply; 3+ messages in thread
From: Eric Paris @ 2012-09-28 19:18 UTC (permalink / raw)
  To: selinux

Dan has a patch in Fedora which causes semanage -a to act like semanage
-m if the record already exists instead of raising an error and
aborting.  Example of the patch is below:


@@ -493,7 +493,9 @@ class loginRecords(semanageRecords):
                if rc < 0:
                        raise ValueError(_("Could not check if login mapping for %s is defined") % name)
                if exists:
-                       raise ValueError(_("Login mapping for %s is already defined") % name)
+                       semanage_seuser_key_free(k)
+                       return self.__modify(name, sename, serange)
+

What do others think about this?  Should we cause -a to act like -m or
should it abort?  Should we force the -a -> -m logic up to the caller?
I guess I'm fine with either.  Is semanage -a enough like semodule -i
and -m like -u that this would actually be expected behavior?

-Eric


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: semanage: should -a imply -m?
  2012-09-28 19:18 semanage: should -a imply -m? Eric Paris
@ 2012-09-29 12:39 ` Sutton, Harry (GSE)
  2012-10-01  9:22   ` Daniel J Walsh
  0 siblings, 1 reply; 3+ messages in thread
From: Sutton, Harry (GSE) @ 2012-09-29 12:39 UTC (permalink / raw)
  To: Eric Paris; +Cc: selinux

On 09/28/2012 03:18 PM, Eric Paris wrote:
> What do others think about this?  Should we cause -a to act like -m or
> should it abort?  Should we force the -a ->  -m logic up to the caller?
> I guess I'm fine with either.  Is semanage -a enough like semodule -i
> and -m like -u that this would actually be expected behavior?
>
I'm inclined to think it should be the other way around, that is, -m 
should act like -a.

If you create a new rule using semanage -a that differs in multiple but 
potentially subtle ways from an existing entry you are unaware of, the 
result may not be at all what you wanted; in that case, the user should 
be warned that the record already exists. Maybe a compromise, to improve 
usability, would be to test for single vs multiple changes before 
throwing an error.

     /Harry

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: semanage: should -a imply -m?
  2012-09-29 12:39 ` Sutton, Harry (GSE)
@ 2012-10-01  9:22   ` Daniel J Walsh
  0 siblings, 0 replies; 3+ messages in thread
From: Daniel J Walsh @ 2012-10-01  9:22 UTC (permalink / raw)
  To: Sutton, Harry (GSE); +Cc: Eric Paris, selinux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/29/2012 08:39 AM, Sutton, Harry (GSE) wrote:
> On 09/28/2012 03:18 PM, Eric Paris wrote:
>> What do others think about this?  Should we cause -a to act like -m or 
>> should it abort?  Should we force the -a ->  -m logic up to the caller? I
>> guess I'm fine with either.  Is semanage -a enough like semodule -i and
>> -m like -u that this would actually be expected behavior?
>> 
> I'm inclined to think it should be the other way around, that is, -m should
> act like -a.
> 
> If you create a new rule using semanage -a that differs in multiple but 
> potentially subtle ways from an existing entry you are unaware of, the
> result may not be at all what you wanted; in that case, the user should be
> warned that the record already exists. Maybe a compromise, to improve
> usability, would be to test for single vs multiple changes before throwing
> an error.
> 
> /Harry
> 
> -- This message was distributed to subscribers of the selinux mailing
> list. If you no longer wish to subscribe, send mail to
> majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes
> as the message.
The reason this was added to Fedora was the case of someone adding a port
definition on file context definition in a post install.  They did not want to
have to figure out if the definition was there or not.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBpYOUACgkQrlYvE4MpobNi9QCgpuleyly9bWJx4PmhWpd5OmJr
tXQAnRd8BdGz5ttYP3jKVQ3TeLwp0K5Q
=DXZM
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2012-10-01  9:23 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-09-28 19:18 semanage: should -a imply -m? Eric Paris
2012-09-29 12:39 ` Sutton, Harry (GSE)
2012-10-01  9:22   ` Daniel J Walsh

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.