Bug 707629

Summary: defined booleans which have no effect
Product: Red Hat Enterprise Linux 5 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.7CC: dwalsh
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-26 19:50:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Milos Malik 2011-05-25 14:56:02 UTC
Description of problem:
Some booleans are defined in targeted policy but have no effect on a system running that policy.

1. assumption: "seinfo -b /etc/selinux/targeted/policy/policy.21" displays booleans which are defined in the binary policy file
2. assumption: "sesearch -C --all /etc/selinux/targeted/policy/policy.21 | grep user_ping" displays all rules associated with user_ping boolean

Version-Release number of selected component (if applicable):
selinux-policy-devel-2.4.6-306.el5
selinux-policy-strict-2.4.6-306.el5
selinux-policy-targeted-2.4.6-306.el5
selinux-policy-minimum-2.4.6-306.el5
selinux-policy-mls-2.4.6-306.el5
selinux-policy-2.4.6-306.el5

How reproducible:
always

Steps to Reproduce:
# for I in mls strict targeted ; do echo $I ; seinfo -b /etc/selinux/$I/policy/policy.21 2>/dev/null | wc -l ; done
mls
122
strict
136
targeted
268
# seinfo -b /etc/selinux/targeted/policy/policy.21 2>/dev/null | grep user_ping
   user_ping
# sesearch -C --all /etc/selinux/targeted/policy/policy.21 | grep user_ping | wc -l
0
#

Actual results:
* user_ping boolean is defined in targeted policy, but enabling/disabling of the boolean has no effect on a system running targeted policy

Expected results:
* user_ping boolean is NOT defined in targeted policy, because enabling/disabling of the boolean would have no effect in a system running targeted policy

Additional information:
* other booleans which have no effect in targeted policy: user_direct_mouse, user_dmesg, user_net_control, user_rw_noexattrfile, user_tcp_server, user_ttyfile_stat

Comment 1 Daniel Walsh 2011-05-26 19:50:40 UTC
While true I don't think this is something we want to change, because it could effect strict and MLS policy for little benefit.

In RHEL6 these booleans have meaning.