From: Daniel Walsh <dwalsh@redhat.com>
To: Stephen Smalley <sds@tycho.nsa.gov>,
Petr Lautrbach <plautrba@redhat.com>
Cc: selinux@vger.kernel.org, jwcart2@tycho.nsa.gov
Subject: Re: [PATCH v2] setsebool: support use of -P on SELinux-disabled hosts
Date: Tue, 15 Jan 2019 13:46:37 -0500 [thread overview]
Message-ID: <b89294c7-bf19-00b2-49c6-bdd2bafcc89d@redhat.com> (raw)
In-Reply-To: <6bbfbf92-f3a0-f197-46b2-acd64566f9e8@tycho.nsa.gov>
On 1/15/19 1:03 PM, Stephen Smalley wrote:
> On 1/15/19 11:22 AM, Petr Lautrbach wrote:
>> Stephen Smalley <sds@tycho.nsa.gov> writes:
>>
>>> On 1/14/19 6:31 AM, Petr Lautrbach wrote:
>>>> Stephen Smalley <sds@tycho.nsa.gov> writes:
>>>>
>>>>> As reported in #123, setsebool immediately exits with an error if
>>>>> SELinux is disabled, preventing its use for setting boolean
>>>>> persistent
>>>>> values. In contrast, semanage boolean -m works on SELinux-disabled
>>>>> hosts. Change setsebool so that it can be used with the -P option
>>>>> (persistent changes) even if SELinux is disabled. In the
>>>>> SELinux-disabled
>>>>> case, skip setting of active boolean values, but set the
>>>>> persistent value
>>>>> in the policy store. Policy reload is automatically disabled by
>>>>> libsemanage
>>>>> when SELinux is disabled, so we only need to call
>>>>> semanage_set_reload()
>>>>> if -N was used.
>>>>>
>>>>
>>>> So right now, `setsebool -N` and `semanage boolean -N` have the
>>>> same effect that
>>>> `load_policy` is not run, but the value of the boolean is changed when
>>>> SELinux is enabled so it affects the system. Would it make sense to
>>>> use
>>>> -N to just change values in the store and do not change the value
>>>> in the
>>>> running kernel? E.g.
>>>>
>>>> --- a/policycoreutils/setsebool/setsebool.c
>>>> +++ b/policycoreutils/setsebool/setsebool.c
>>>> @@ -187,11 +187,14 @@ static int semanage_set_boolean_list(size_t
>>>> boolcnt,
>>>> boolean) < 0)
>>>> goto err;
>>>> - if (enabled && semanage_bool_set_active(handle,
>>>> bool_key,
>>>> boolean) < 0) {
>>>> - fprintf(stderr, "Failed to change boolean
>>>> %s: %m\n",
>>>> - boollist[j].name);
>>>> - goto err;
>>>> - }
>>>> + if (no_reload)
>>>> + semanage_set_reload(handle, 0);
>>>> + else
>>>> + if (enabled &&
>>>> semanage_bool_set_active(handle, bool_key, boolean) < 0) {
>>>> + fprintf(stderr, "Failed to change
>>>> boolean %s: %m\n",
>>>> +
>>>> boollist[j].name);
>>>> + goto err;
>>>> + }
>>>>
>>>>
>>>> A similar patch would need to be applied to seobject.py as well in
>>>> this case.
>>>
>>> That makes sense to me logically (in fact, I don't really understand
>>> why
>>> setsebool w/o -P would ever trigger a reload), but I guess the
>>> concern is
>>> whether any existing users rely on the current behavior, e.g. the %post
>>> scriptlet in container-selinux that led to this issue.
>>
>> container-selinux.spec:
>> ==========================================================================
>>
>> # Install all modules in a single transaction
>> if [ $1 -eq 1 ]; then
>> %{_sbindir}/setsebool -P -N virt_use_nfs=1
>> virt_sandbox_use_all_caps=1
>> fi
>> ...
>> if %{_sbindir}/selinuxenabled ; then
>> %{_sbindir}/load_policy
>> %relabel_files
>> if [ $1 -eq 1 ]; then
>> restorecon -R %{_sharedstatedir}/docker &> /dev/null || :
>> restorecon -R %{_sharedstatedir}/containers &> /dev/null || :
>> fi
>> fi
>> ==========================================================================
>>
>>
>> It would definitely break this scriptlet on SELinux enabled systems as
>> load_policy preserves booleans.
>>
>> So the question is if it's preferred current behavior with it's side
>> effects or if it's worth to try to fix it and properly announce the
>> change in release notes.
>>
>> I take that it's not nice to change/break things but to me it
>> looks like -N generally considered as option which is used to avoid
>> changes in the running kernel.
>
> As documented in the man page, -N just means that "the policy on disk
> is not reloaded into the kernel.". So from a compatibility and a
> documentation POV, I doubt we can just change this behavior now.
> Looking back at the original commit that added -N to setsebool
> (413b4933ee7203286050c2daf6f9714673cd3a5a) , it says " Fix setsebool
> to use -N to not reload policy into the kernel optional on permanant
> changes." which suggests that the intent was to only affect persistent
> boolean changes IIUC. But cc'ing Dan for clarification.
Yes that was the intention. The goal was to work on disabled systems.
>
>>
>>
>>>
>>>>
>>>>
>>>>
>>>>> Fixes: https://github.com/SELinuxProject/selinux/issues/123
>>>>> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
>>>>> ---
>>>>> v2 changes setsebool to only call semanage_set_reload() if -N was
>>>>> specified;
>>>>> otherwise we can use the libsemanage defaults just as we do in
>>>>> semodule
>>>>> and semanage.
>>>>> policycoreutils/setsebool/setsebool.c | 15 ++++++---------
>>>>> 1 file changed, 6 insertions(+), 9 deletions(-)
>>>>>
>>>>> diff --git a/policycoreutils/setsebool/setsebool.c
>>>>> b/policycoreutils/setsebool/setsebool.c
>>>>> index 53d3566c..a5157efc 100644
>>>>> --- a/policycoreutils/setsebool/setsebool.c
>>>>> +++ b/policycoreutils/setsebool/setsebool.c
>>>>> @@ -18,7 +18,7 @@
>>>>> #include <errno.h>
>>>>> int permanent = 0;
>>>>> -int reload = 1;
>>>>> +int no_reload = 0;
>>>>> int verbose = 0;
>>>>> int setbool(char **list, size_t start, size_t end);
>>>>> @@ -38,11 +38,6 @@ int main(int argc, char **argv)
>>>>> if (argc < 2)
>>>>> usage();
>>>>> - if (is_selinux_enabled() <= 0) {
>>>>> - fputs("setsebool: SELinux is disabled.\n", stderr);
>>>>> - return 1;
>>>>> - }
>>>>> -
>>>>> while (1) {
>>>>> clflag = getopt(argc, argv, "PNV");
>>>>> if (clflag == -1)
>>>>> @@ -53,7 +48,7 @@ int main(int argc, char **argv)
>>>>> permanent = 1;
>>>>> break;
>>>>> case 'N':
>>>>> - reload = 0;
>>>>> + no_reload = 1;
>>>>> break;
>>>>> case 'V':
>>>>> verbose = 1;
>>>>> @@ -130,6 +125,7 @@ static int semanage_set_boolean_list(size_t
>>>>> boolcnt,
>>>>> semanage_bool_key_t *bool_key = NULL;
>>>>> int managed;
>>>>> int result;
>>>>> + int enabled = is_selinux_enabled();
>>>>> handle = semanage_handle_create();
>>>>> if (handle == NULL) {
>>>>> @@ -191,7 +187,7 @@ static int semanage_set_boolean_list(size_t
>>>>> boolcnt,
>>>>> boolean) < 0)
>>>>> goto err;
>>>>> - if (semanage_bool_set_active(handle, bool_key,
>>>>> boolean) < 0) {
>>>>> + if (enabled && semanage_bool_set_active(handle, bool_key,
>>>>> boolean) < 0) {
>>>>> fprintf(stderr, "Failed to change boolean %s: %m\n",
>>>>> boollist[j].name);
>>>>> goto err;
>>>>> @@ -202,7 +198,8 @@ static int semanage_set_boolean_list(size_t
>>>>> boolcnt,
>>>>> boolean = NULL;
>>>>> }
>>>>> - semanage_set_reload(handle, reload);
>>>>> + if (no_reload)
>>>>> + semanage_set_reload(handle, 0);
>>>>> if (semanage_commit(handle) < 0)
>>>>> goto err;
>
next prev parent reply other threads:[~2019-01-15 18:46 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-10 16:26 [PATCH v2] setsebool: support use of -P on SELinux-disabled hosts Stephen Smalley
2019-01-12 18:56 ` Nicolas Iooss
2019-01-14 11:31 ` Petr Lautrbach
2019-01-15 13:28 ` Stephen Smalley
2019-01-15 16:22 ` Petr Lautrbach
2019-01-15 18:03 ` Stephen Smalley
2019-01-15 18:46 ` Daniel Walsh [this message]
2019-01-17 14:00 ` Stephen Smalley
2019-01-17 15:10 ` Daniel Walsh
2019-01-18 16:13 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b89294c7-bf19-00b2-49c6-bdd2bafcc89d@redhat.com \
--to=dwalsh@redhat.com \
--cc=jwcart2@tycho.nsa.gov \
--cc=plautrba@redhat.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).