| Main Archive Page > Month Archives > selinux archives |
Re: [PATCH] Fix semanage_direct_commit() to notice disable_dontaudit
From: Daniel J Walsh <dwalsh_at_nospam>Date: Mon Aug 31 2009 - 14:02:27 GMT
To: Shintaro Fujiwara <shintaro.fujiwara@gmail.com>
On 08/31/2009 09:02 AM, Shintaro Fujiwara wrote:
> Well, in F11 I typed,
>
> seinfo --permissive but got an error...
>
> I basically understand that I should take care of permissive module, though.
>
>
Yes this is in Rawhide/F12
>
> 2009/8/31 Daniel J Walsh <dwalsh@redhat.com>:
>> On 08/31/2009 08:22 AM, Shintaro Fujiwara wrote:
>>> Thanks digging in topic that I pinted some time ago.
>>>
>>> Why don't you fix semodule to notice which module has permissive.
>>>
>>> I notice administrators in my program, i.e. segatex, when listing
>>> modules, list permissive modules.
>>>
>>> We tend to forget after we set some module permissive and it's quite
>>> convenient to set permissive when we get certain denied messages, but
>>> it's sad when we forgot we set certain module permissive.
>>>
>>> So, I think it's better to let administrators know which module has
>>> permissive module now when he typed "semodule -l ".
>>>
>>> Can anybody fix semodule to echo permissive module at the top and
>>> still echo list ?
>>>
>>>
>>> 2009/8/21 Chad Sellers <csellers@tresys.com>:
>>>> Add code to semanage_direct_commit() to notice that the disable_dontaudit
>>>> flag has been changed and rebuild the policy if so.
>>>>
>>>> Currently, libsemanage doesn't notice that the disable_dontaudit flag is
>>>> set so it does not rebuild the policy. semodule got around this by calling
>>>> semanage_set_rebuild() explicitly, but libsemanage should really notice
>>>> that this has changed and rebuild appropriately.
>>>> ---
>>>> libsemanage/src/direct_api.c | 7 ++++++-
>>>> 1 files changed, 6 insertions(+), 1 deletions(-)
>>>>
>>>> diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
>>>> index d563841..0eab399 100644
>>>> --- a/libsemanage/src/direct_api.c
>>>> +++ b/libsemanage/src/direct_api.c
>>>> @@ -675,7 +675,7 @@ static int semanage_direct_commit(semanage_handle_t * sh)
>>>>
>>>> /* Declare some variables */
>>>> int modified = 0, fcontexts_modified, ports_modified,
>>>> - seusers_modified, users_extra_modified;
>>>> + seusers_modified, users_extra_modified, dontaudit_modified;
>>>> dbase_config_t *users = semanage_user_dbase_local(sh);
>>>> dbase_config_t *users_base = semanage_user_base_dbase_local(sh);
>>>> dbase_config_t *pusers_base = semanage_user_base_dbase_policy(sh);
>>>> @@ -694,6 +694,10 @@ static int semanage_direct_commit(semanage_handle_t * sh)
>>>>
>>>> /* Create or remove the disable_dontaudit flag file. */
>>>> path = semanage_path(SEMANAGE_TMP, SEMANAGE_DISABLE_DONTAUDIT);
>>>> + if (access(path, F_OK) == 0)
>>>> + dontaudit_modified = !(sepol_get_disable_dontaudit(sh->sepolh) == 1);
>>>> + else
>>>> + dontaudit_modified = (sepol_get_disable_dontaudit(sh->sepolh) == 1);
>>>> if (sepol_get_disable_dontaudit(sh->sepolh) == 1) {
>>>> FILE *touch;
>>>> touch = fopen(path, "w");
>>>> @@ -734,6 +738,7 @@ static int semanage_direct_commit(semanage_handle_t * sh)
>>>> modified |= bools->dtable->is_modified(bools->dbase);
>>>> modified |= ifaces->dtable->is_modified(ifaces->dbase);
>>>> modified |= nodes->dtable->is_modified(nodes->dbase);
>>>> + modified |= dontaudit_modified;
>>>>
>>>> /* If there were policy changes, or explicitly requested, rebuild the policy */
>>>> if (sh->do_rebuild || modified) {
>>>> --
>>>> 1.6.2.5
>>>>
>>>>
>>>> --
>>>> This message was distributed to subscribers of the selinux mailing list.
>>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>>>> the words "unsubscribe selinux" without quotes as the message.
>>>>
>>>
>>>
>>>
>> seinfo --permissive
>>
>> Will do this.
>>
>
>
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.