Bug 173598

Summary: default booleans not in effect after reboot
Product: [Fedora] Fedora Reporter: Alexandre Oliva <oliva>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: medium    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-11-30 20:19:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alexandre Oliva 2005-11-18 15:47:07 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8) Gecko/20051103 Fedora/1.5-0.5.0.rc1 Firefox/1.5

Description of problem:
Boolean defaults defined in /etc/selinux/targeted/booleans are not in effect when the system is brought up.  An NFS server, for example, won't let clients access mount points, because nfs_export_all_* are not enabled.  As soon as I run 

setsebool $(grep -v ^# /etc/selinux/targeted/booleans )

everything starts working as expected (modulo other known policy bugs :-)

I don't even have a booleans.local file, so that's not it.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.27.2-19

How reproducible:
Always

Steps to Reproduce:
1.Boot up
2.Check whether the default booleans are set

Actual Results:  They are not

Expected Results:  They should be

Additional info:

Comment 1 Daniel Walsh 2005-11-18 16:50:01 UTC
Did you install reference policy and then remove it?  If yes could you 
rm -rf /etc/selinux/targeted/modules?

This might be causing init to be confused and think you are running reference
policy.  Reference policy ignores the booleans file, because it gets compiled
into the policy.

Dan

Comment 2 Alexandre Oliva 2005-11-18 17:52:45 UTC
If you mean selinux-targeted-policy-2.0.0 that hit rawhide a few days ago and
was later downgraded, yes, I did.  Unfortunately, even after rm -rf
/etc/selinux/targeted/modules and a reboot, I still get:

getsebool -a | grep nfs
nfs_export_all_ro --> inactive
nfs_export_all_rw --> inactive
nfsd_disable_trans --> inactive
use_nfs_home_dirs --> inactive

whereas 

# grep nfs /etc/selinux/targeted/booleans
nfs_export_all_ro=1
nfs_export_all_rw=1
use_nfs_home_dirs=0

:-(

where is it that these booleans get set up?  I could try to debug it from there,
but I just can't figure out where they're supposed to be loaded.  Thanks,

Comment 3 Daniel Walsh 2005-11-18 18:26:33 UTC
In /etc/selinux/config, remove the
# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0

or set it to 1

See if that fixes it.

Comment 4 Alexandre Oliva 2005-11-19 02:01:21 UTC
Thank you very much, that did it.

I was about to close this as NOTABUG, but then I thought you might want to take
such downgrade cases into account in the reference package (if at all possible)
to avoid problems like the one I ran into.