[Selinux-commits] SF.net SVN: selinux: [2096] trunk/policycoreutils

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Revision: 2096
          http://svn.sourceforge.net/selinux/?rev=2096&view=rev
Author:   ssmalley
Date:     2006-11-21 12:52:25 -0800 (Tue, 21 Nov 2006)

Log Message:
-----------
Author: Karl MacMillan
Email: kma...@me...
Subject: Question about setsebool.c
Date: Mon, 20 Nov 2006 15:04:10 -0500

Joshua Brindle wrote:
> Karl MacMillan wrote:
>> Yuichi Nakamura wrote:
>>> Hi, I looked at the latest policycoreutils code.
>>> (policycoreutils-1.33.1-9.fc7.src.rpm)
>>>
>>> And found strange code, in setsebool.c.
>>>
>>>     94  /* Apply (permanent) boolean changes to policy via 
>>> libsemanage */
>>>     95  static int semanage_set_boolean_list(size_t boolcnt,
>>>     96                                       SELboolean * boollist, 
>>> int perm)
>>>     97  {
>>>    <snip>
>>>    117          } else if (managed == 0) {
>>>    118                  if (selinux_set_boolean_list(boolcnt, 
>>> boollist, 1) < 0)
>>>    119                          goto err;
>>>    120                  goto out;
>>>    121          }
>>>
>>> Why 3rd arg for selinux_set_boolean_list is "1"?
>>> Should it be "perm"?
>>>
>>
>> Looks that way to me. Additionally, is it even possible to make 
>> non-permanent change to a boolean via semanage? If not, then this code 
>> path should check for that. Josh?
>>
> libsemanage is only responsible for the persistent changes,

That is not how the current setsebool.c code works - see:

if (perm
     && semanage_bool_modify_local(handle, bool_key, boolean) < 0)
	goto err;

Testing confirms that this allows setting non-persistent booleans via 
semanage using setsebool.

  sesetbool
> sets the non-persistent directly, in fact demonstrated by the code 
> snippet above. This does look like a bug and if someone uses setsebool 
> to set a non-persistent boolean on an unmanaged system it appears that 
> it will indeed make it permanent.
> 

What about this:

Modified Paths:
--------------
    trunk/policycoreutils/ChangeLog
    trunk/policycoreutils/VERSION
    trunk/policycoreutils/setsebool/setsebool.c

Modified: trunk/policycoreutils/ChangeLog
===================================================================

--- trunk/policycoreutils/ChangeLog	2006-11-20 17:09:13 UTC (rev 2095)
+++ trunk/policycoreutils/ChangeLog	2006-11-21 20:52:25 UTC (rev 2096)
@@ -1,3 +1,8 @@
+1.33.3 2006-11-21
+	* Merged setsebool patch from Karl MacMillan. 
+	  This fixes a bug reported by Yuichi Nakamura with
+	  always setting booleans persistently on an unmanaged system.
+
 1.33.2 2006-11-20
 	* Merged patch from Dan Walsh (via Karl MacMillan):
 	  * Added newrole audit message on login failure

Modified: trunk/policycoreutils/VERSION
===================================================================
--- trunk/policycoreutils/VERSION	2006-11-20 17:09:13 UTC (rev 2095)
+++ trunk/policycoreutils/VERSION	2006-11-21 20:52:25 UTC (rev 2096)
@@ -1 +1 @@
-1.33.2
+1.33.3

Modified: trunk/policycoreutils/setsebool/setsebool.c
===================================================================
--- trunk/policycoreutils/setsebool/setsebool.c	2006-11-20 17:09:13 UTC (rev 2095)
+++ trunk/policycoreutils/setsebool/setsebool.c	2006-11-21 20:52:25 UTC (rev 2096)
@@ -115,7 +115,7 @@
 		goto err;
 
 	} else if (managed == 0) {
-		if (selinux_set_boolean_list(boolcnt, boollist, 1) < 0)
+		if (selinux_set_boolean_list(boolcnt, boollist, perm) < 0)
 			goto err;
 		goto out;
 	}


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.


