Bug 120481 - selinux role drop-down list not enabled at all
selinux role drop-down list not enabled at all
Product: Fedora
Classification: Fedora
Component: system-config-users (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Brent Fox
Depends On:
  Show dependency treegraph
Reported: 2004-04-09 03:10 EDT by Richard Hally
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-04-19 14:33:12 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Richard Hally 2004-04-09 03:10:40 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6)

Description of problem:
In the create new user window, the "SELinux role" drop down list is
not enabled in any mode. It should be enable in permissive and
enforcing modes and not enabled when selinux is not enabled. It will
be useful to have it enabled when in permissive mode so that a
sysadmin setting up users will be able to do so before he puts a
system into enforcing mode. 

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.start system-config-users
2. select "add user"
3.try to user the SELinux role listbox

Actual Results:  list box not working

Expected Results:  list box lists roles when in enforcing or
permissive mode but not when selinux is disabled.

Additional info:
Comment 1 Brent Fox 2004-04-13 17:12:15 EDT
Are you sure that SELinux is actually running?  Try this:

1) Run python.
2) type 'import os'
3) type 'os.system("/usr/bin/selinuxenabled")'

What is the output of that?  If it's 0, then it's not actually running.
Comment 2 Richard Hally 2004-04-14 00:41:12 EDT
When selinux is enable I get 0 from your python os call.
When selinux is definitily NOT enabled I get 256 from the same call.

The source code (from NSA site) is:
[richard@old1 utils]$ cat selinuxenabled.c
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <selinux/selinux.h>
int main(void)
        return !is_selinux_enabled();
so the program returns the OPPOSITE of what is returned from the
function call. If I read it correctly.

the function "is_selinux_enabled" returns: (from reading enabled.c)
-1 if there is a error
 0 if selinux is not enabled
 1 if selinux is enabled

The selinux.h header comment for the function says:
/* Return 1 if we are running on a SELinux kernel, or 0 otherwise. */
extern int is_selinux_enabled(void);
Which is not entirely correct(since it can return -1).

The man page for selinuxenabled says:
"Command exits with state 0 if  selinux  is  not  enabled  1  if  it 
is enabled."
Which also appears incorrect since the FUNCTION returns 1 for enabled
and the program negates that so that the PROGRAM returns ZERO for
enabled. Which matches with what is actually happening, the program is
returning zero when selinux is in fact enabled. 
The fact that we get 256 when selinux is NOT enabled indicated there 
may be a need to check how "enabled.c" and selinuxenabled actually
p.s. when I boot with selinux=0 there are no files in /selinux,
getenforce returns "disabled" and setenforce 1 (or 0) fails.
Comment 3 Brent Fox 2004-04-15 11:33:34 EDT
Hmm, seems I need a more reliable indicator of whether SELinux is
running than /usr/bin/selinuxenabled.  I will look into this.
Comment 4 Brent Fox 2004-04-19 14:32:53 EDT
I have since removed the SELinux widgets for the time being because
libuser does not have the necessary hooks to allow for SELinux role
configuration.  I will add these widgets back once the SELinux
features have been added to libuser.

Note You need to log in before you can comment on or make changes to this bug.