selinux.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] setsebool: report errors from commit phase
@ 2020-04-26 15:21 Topi Miettinen
  2020-04-26 18:09 ` Nicolas Iooss
  0 siblings, 1 reply; 3+ messages in thread
From: Topi Miettinen @ 2020-04-26 15:21 UTC (permalink / raw)
  To: selinux

In case there are errors when committing changes to booleans, the
errors may not be reported to user except by nonzero exit status. With
"setsebool -V" it's possible to see errors from commit phase, but
otherwise the unfixed command is silent:

  # setsebool -V -P secure_mode_insmod=off
libsemanage.semanage_install_final_tmp: Could not copy 
/var/lib/selinux/final/default/contexts/files/file_contexts to 
/etc/selinux/default/contexts/files/file_contexts. (Read-only file system).
libsemanage.semanage_install_final_tmp: Could not copy 
/var/lib/selinux/final/default/contexts/files/file_contexts to 
/etc/selinux/default/contexts/files/file_contexts. (Read-only file system).

Fixed version alerts the user about problems even without -V:
  # setsebool -P secure_mode_insmod=off
Failed to commit changes to booleans: Read-only file system

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
---
  policycoreutils/setsebool/setsebool.c | 4 +++-
  1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/policycoreutils/setsebool/setsebool.c 
b/policycoreutils/setsebool/setsebool.c
index 9d8abfac..60da5df1 100644
--- a/policycoreutils/setsebool/setsebool.c
+++ b/policycoreutils/setsebool/setsebool.c
@@ -200,8 +200,10 @@ static int semanage_set_boolean_list(size_t boolcnt,

         if (no_reload)
                 semanage_set_reload(handle, 0);
-       if (semanage_commit(handle) < 0)
+       if (semanage_commit(handle) < 0) {
+               fprintf(stderr, "Failed to commit changes to booleans: 
%m\n");
                 goto err;
+       }

         semanage_disconnect(handle);
         semanage_handle_destroy(handle);
-- 
2.26.2

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] setsebool: report errors from commit phase
  2020-04-26 15:21 [PATCH] setsebool: report errors from commit phase Topi Miettinen
@ 2020-04-26 18:09 ` Nicolas Iooss
  2020-04-28  7:27   ` Nicolas Iooss
  0 siblings, 1 reply; 3+ messages in thread
From: Nicolas Iooss @ 2020-04-26 18:09 UTC (permalink / raw)
  To: Topi Miettinen; +Cc: SElinux list

On Sun, Apr 26, 2020 at 5:21 PM Topi Miettinen <toiwoton@gmail.com> wrote:
>
> In case there are errors when committing changes to booleans, the
> errors may not be reported to user except by nonzero exit status. With
> "setsebool -V" it's possible to see errors from commit phase, but
> otherwise the unfixed command is silent:
>
>   # setsebool -V -P secure_mode_insmod=off
> libsemanage.semanage_install_final_tmp: Could not copy
> /var/lib/selinux/final/default/contexts/files/file_contexts to
> /etc/selinux/default/contexts/files/file_contexts. (Read-only file system).
> libsemanage.semanage_install_final_tmp: Could not copy
> /var/lib/selinux/final/default/contexts/files/file_contexts to
> /etc/selinux/default/contexts/files/file_contexts. (Read-only file system).
>
> Fixed version alerts the user about problems even without -V:
>   # setsebool -P secure_mode_insmod=off
> Failed to commit changes to booleans: Read-only file system
>
> Signed-off-by: Topi Miettinen <toiwoton@gmail.com>

Looks good to me. The patch below has been mangled (tabs have been
replaced by spaces) but I took the patch from your Pull Request
(https://github.com/SELinuxProject/selinux/pull/227.patch) and it
applied cleanly.

Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>

If nobody raises an objection, I will merge the patch tomorrow.

Thanks,
Nicolas

> ---
>   policycoreutils/setsebool/setsebool.c | 4 +++-
>   1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/policycoreutils/setsebool/setsebool.c
> b/policycoreutils/setsebool/setsebool.c
> index 9d8abfac..60da5df1 100644
> --- a/policycoreutils/setsebool/setsebool.c
> +++ b/policycoreutils/setsebool/setsebool.c
> @@ -200,8 +200,10 @@ static int semanage_set_boolean_list(size_t boolcnt,
>
>          if (no_reload)
>                  semanage_set_reload(handle, 0);
> -       if (semanage_commit(handle) < 0)
> +       if (semanage_commit(handle) < 0) {
> +               fprintf(stderr, "Failed to commit changes to booleans:
> %m\n");
>                  goto err;
> +       }
>
>          semanage_disconnect(handle);
>          semanage_handle_destroy(handle);
> --
> 2.26.2


^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH] setsebool: report errors from commit phase
  2020-04-26 18:09 ` Nicolas Iooss
@ 2020-04-28  7:27   ` Nicolas Iooss
  0 siblings, 0 replies; 3+ messages in thread
From: Nicolas Iooss @ 2020-04-28  7:27 UTC (permalink / raw)
  To: Topi Miettinen; +Cc: SElinux list

On Sun, Apr 26, 2020 at 8:09 PM Nicolas Iooss <nicolas.iooss@m4x.org> wrote:
>
> On Sun, Apr 26, 2020 at 5:21 PM Topi Miettinen <toiwoton@gmail.com> wrote:
> >
> > In case there are errors when committing changes to booleans, the
> > errors may not be reported to user except by nonzero exit status. With
> > "setsebool -V" it's possible to see errors from commit phase, but
> > otherwise the unfixed command is silent:
> >
> >   # setsebool -V -P secure_mode_insmod=off
> > libsemanage.semanage_install_final_tmp: Could not copy
> > /var/lib/selinux/final/default/contexts/files/file_contexts to
> > /etc/selinux/default/contexts/files/file_contexts. (Read-only file system).
> > libsemanage.semanage_install_final_tmp: Could not copy
> > /var/lib/selinux/final/default/contexts/files/file_contexts to
> > /etc/selinux/default/contexts/files/file_contexts. (Read-only file system).
> >
> > Fixed version alerts the user about problems even without -V:
> >   # setsebool -P secure_mode_insmod=off
> > Failed to commit changes to booleans: Read-only file system
> >
> > Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
>
> Looks good to me. The patch below has been mangled (tabs have been
> replaced by spaces) but I took the patch from your Pull Request
> (https://github.com/SELinuxProject/selinux/pull/227.patch) and it
> applied cleanly.
>
> Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
>
> If nobody raises an objection, I will merge the patch tomorrow.

Merged.

Thanks,
Nicolas
>
> > ---
> >   policycoreutils/setsebool/setsebool.c | 4 +++-
> >   1 file changed, 3 insertions(+), 1 deletion(-)
> >
> > diff --git a/policycoreutils/setsebool/setsebool.c
> > b/policycoreutils/setsebool/setsebool.c
> > index 9d8abfac..60da5df1 100644
> > --- a/policycoreutils/setsebool/setsebool.c
> > +++ b/policycoreutils/setsebool/setsebool.c
> > @@ -200,8 +200,10 @@ static int semanage_set_boolean_list(size_t boolcnt,
> >
> >          if (no_reload)
> >                  semanage_set_reload(handle, 0);
> > -       if (semanage_commit(handle) < 0)
> > +       if (semanage_commit(handle) < 0) {
> > +               fprintf(stderr, "Failed to commit changes to booleans:
> > %m\n");
> >                  goto err;
> > +       }
> >
> >          semanage_disconnect(handle);
> >          semanage_handle_destroy(handle);
> > --
> > 2.26.2


^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-04-28  7:27 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-04-26 15:21 [PATCH] setsebool: report errors from commit phase Topi Miettinen
2020-04-26 18:09 ` Nicolas Iooss
2020-04-28  7:27   ` Nicolas Iooss

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).