From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113 Description of problem: In the create new user window, the "SELinux role" drop down list is not enabled in any mode. It should be enable in permissive and enforcing modes and not enabled when selinux is not enabled. It will be useful to have it enabled when in permissive mode so that a sysadmin setting up users will be able to do so before he puts a system into enforcing mode. Version-Release number of selected component (if applicable): system-config-users-1.2.11-4 How reproducible: Always Steps to Reproduce: 1.start system-config-users 2. select "add user" 3.try to user the SELinux role listbox Actual Results: list box not working Expected Results: list box lists roles when in enforcing or permissive mode but not when selinux is disabled. Additional info:
Are you sure that SELinux is actually running? Try this: 1) Run python. 2) type 'import os' 3) type 'os.system("/usr/bin/selinuxenabled")' What is the output of that? If it's 0, then it's not actually running.
When selinux is enable I get 0 from your python os call. When selinux is definitily NOT enabled I get 256 from the same call. The source code (from NSA site) is: ------------------------------------------ [richard@old1 utils]$ cat selinuxenabled.c #include <unistd.h> #include <stdio.h> #include <stdlib.h> #include <selinux/selinux.h> int main(void) { return !is_selinux_enabled(); } -------------------------------------- so the program returns the OPPOSITE of what is returned from the function call. If I read it correctly. the function "is_selinux_enabled" returns: (from reading enabled.c) -1 if there is a error 0 if selinux is not enabled 1 if selinux is enabled The selinux.h header comment for the function says: /* Return 1 if we are running on a SELinux kernel, or 0 otherwise. */ extern int is_selinux_enabled(void); Which is not entirely correct(since it can return -1). The man page for selinuxenabled says: "Command exits with state 0 if selinux is not enabled 1 if it is enabled." Which also appears incorrect since the FUNCTION returns 1 for enabled and the program negates that so that the PROGRAM returns ZERO for enabled. Which matches with what is actually happening, the program is returning zero when selinux is in fact enabled. The fact that we get 256 when selinux is NOT enabled indicated there may be a need to check how "enabled.c" and selinuxenabled actually work. p.s. when I boot with selinux=0 there are no files in /selinux, getenforce returns "disabled" and setenforce 1 (or 0) fails.
Hmm, seems I need a more reliable indicator of whether SELinux is running than /usr/bin/selinuxenabled. I will look into this.
I have since removed the SELinux widgets for the time being because libuser does not have the necessary hooks to allow for SELinux role configuration. I will add these widgets back once the SELinux features have been added to libuser.