Red Hat Bugzilla – Bug 120481
selinux role drop-down list not enabled at all
Last modified: 2007-11-30 17:10:40 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6)
Description of problem:
In the create new user window, the "SELinux role" drop down list is
not enabled in any mode. It should be enable in permissive and
enforcing modes and not enabled when selinux is not enabled. It will
be useful to have it enabled when in permissive mode so that a
sysadmin setting up users will be able to do so before he puts a
system into enforcing mode.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
2. select "add user"
3.try to user the SELinux role listbox
Actual Results: list box not working
Expected Results: list box lists roles when in enforcing or
permissive mode but not when selinux is disabled.
Are you sure that SELinux is actually running? Try this:
1) Run python.
2) type 'import os'
3) type 'os.system("/usr/bin/selinuxenabled")'
What is the output of that? If it's 0, then it's not actually running.
When selinux is enable I get 0 from your python os call.
When selinux is definitily NOT enabled I get 256 from the same call.
The source code (from NSA site) is:
[richard@old1 utils]$ cat selinuxenabled.c
so the program returns the OPPOSITE of what is returned from the
function call. If I read it correctly.
the function "is_selinux_enabled" returns: (from reading enabled.c)
-1 if there is a error
0 if selinux is not enabled
1 if selinux is enabled
The selinux.h header comment for the function says:
/* Return 1 if we are running on a SELinux kernel, or 0 otherwise. */
extern int is_selinux_enabled(void);
Which is not entirely correct(since it can return -1).
The man page for selinuxenabled says:
"Command exits with state 0 if selinux is not enabled 1 if it
Which also appears incorrect since the FUNCTION returns 1 for enabled
and the program negates that so that the PROGRAM returns ZERO for
enabled. Which matches with what is actually happening, the program is
returning zero when selinux is in fact enabled.
The fact that we get 256 when selinux is NOT enabled indicated there
may be a need to check how "enabled.c" and selinuxenabled actually
p.s. when I boot with selinux=0 there are no files in /selinux,
getenforce returns "disabled" and setenforce 1 (or 0) fails.
Hmm, seems I need a more reliable indicator of whether SELinux is
running than /usr/bin/selinuxenabled. I will look into this.
I have since removed the SELinux widgets for the time being because
libuser does not have the necessary hooks to allow for SELinux role
configuration. I will add these widgets back once the SELinux
features have been added to libuser.