Bug 733453

Summary: semange reports incorrect boolean value when default value changes
Product: [Fedora] Fedora Reporter: Garrett Holmstrom <gholms>
Component: policycoreutilsAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-09-06 20:33:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Minimal test policy for bug #733453 none

Description Garrett Holmstrom 2011-08-25 18:17:25 UTC 
Description of problem:
When a system loads a policy with a boolean that defaults to on and then a policy update changes the default value to off, semanage reports it as off even though it is still on.


Version-Release number of selected component (if applicable):
policycoreutils-python-2.0.86-7.fc15.x86_64


Steps to Reproduce:
1. Load a policy with a boolean that defaults to on
2. Edit the policy to make that boolean default to off, then load the edited version
3. Inspect the value reported by ``semanage boolean -l''


Actual results:
test_policy_bool -> off test_policy_bool


Expected results:
test_policy_bool -> on test_policy_bool


Additional info:
I have not tested this with a system that has explicitly set the boolean in question.
Comment 1 Daniel Walsh 2011-08-25 18:37:44 UTC 
I am not sure I believe you, I will have to check, but the command is currently broken in that it shows you the default state as written in policy and not the current state of the system.

# setsebool  git_system_use_cifs  on
# getsebool git_system_use_cifs 
git_system_use_cifs --> on
# semanage boolean -l | grep git_system_use_cifs
git_system_use_cifs            -> off   Allow Git daemon system to access cifs file systems.

Which looks semanage is actually reading the policy as stored on disk.  The tool should be changed to show the current state versus the default state


Could you attach your policy?
Comment 2 Garrett Holmstrom 2011-08-25 19:47:26 UTC 
Created attachment 519972 [details]
Minimal test policy for bug #733453
Comment 3 Garrett Holmstrom 2011-08-25 21:09:05 UTC 
The policy I used to test, when first loaded, has only a tunable that defaults to on:

> policy_module(test_policy, 1.0.0)
> gen_tunable(test_policy_bool, true)

At that point semanage reports it as on:

semanage boolean -l | grep test_policy
test_policy_bool               -> on    test_policy_bool

The edited policy changes the default and bumps the policy version:

> policy_module(test_policy, 1.1.0)
> gen_tunable(test_policy_bool, false)

And then semanage and getsebool disagree:

# semanage boolean -l | grep test_policy
test_policy_bool               -> off   test_policy_bool
# getsebool test_policy_bool
test_policy_bool --> on

Of course if semanage is *supposed* to report only the state on disk then this probably isn't a bug at all.
Comment 4 Daniel Walsh 2011-08-26 18:54:10 UTC 
Correct the code is working correctly, but the semanage command should be changed to report the current state as well as the default state, (state on disk.
Comment 5 Daniel Walsh 2011-09-06 20:33:17 UTC 
Fixed in policycoreutils-2.1.5-2.fc17.x86_64