Created attachment 106325 [details] strace setsebool -P
Installed FC3 (ran yum update against the rawhide-latest). I have the following packages of interest installed: checkpolicy-1.18.1-1.i386 libselinux-1.18.1-4.i386 selinux-policy-targeted-1.18.2-1.noarch policycoreutils-1.18.1-1.i386 selinux-policy-targeted-sources-1.18.2-1.noarch libselinux-devel-1.18.1-4.i386 system-config-securitylevel-1.4.17-1.i386 I ran system-config-securitylevel to tinker with the SELinux related booleans. After closing the application, I noticed that getsebool indicated that there were pending changes. I attempted to run setsebool -P to activate all pending changes and the program segfaults. I am attaching the strace output of the setsebool segfault. [root@flatline ~]# rpm -q libselinux libselinux-1.18.1-4 [root@flatline ~]# getsebool -a allow_ypbind --> active: 0 pending: 0 dhcpd_disable_trans --> active: 0 pending: 0 httpd_disable_trans --> active: 0 pending: 0 httpd_enable_cgi --> active: 1 pending: 1 httpd_enable_homedirs --> active: 1 pending: 1 httpd_ssi_exec --> active: 1 pending: 1 httpd_unified --> active: 1 pending: 1 named_disable_trans --> active: 0 pending: 0 named_write_master_zones --> active: 0 pending: 0 nscd_disable_trans --> active: 0 pending: 0 ntpd_disable_trans --> active: 0 pending: 0 portmap_disable_trans --> active: 0 pending: 0 snmpd_disable_trans --> active: 0 pending: 0 squid_disable_trans --> active: 0 pending: 0 syslogd_disable_trans --> active: 0 pending: 0 use_nfs_home_dirs --> active: 0 pending: 0 ypbind_disable_trans --> active: 0 pending: 0 [root@flatline ~]# setsebool -P Segmentation fault [root@flatline ~]# strace -o /tmp/setsebool.strace setsebool -P
Fixed in libselinux-1.19.1-1.i386.rpm
from setsebool(8) If the -P option is given, all pending values are written to the boolean file on disk. $ setsebool -P Usage: setsebool [ -P ] boolean value | bool1=val1 bool2=val2... $ getsebool -a | grep -v "pending: 0" httpd_enable_cgi --> active: 1 pending: 1 httpd_enable_homedirs --> active: 1 pending: 1 httpd_ssi_exec --> active: 1 pending: 1 httpd_unified --> active: 1 pending: 1 Appears that something isn't right. Is the -P switch documented or working by design?
This is probably more of a bug in getsebool then setsebool. The -P qualified just updates the booleans config file so the next policy load or reboot maintains the boolean setting. Maybe getsebool should only show pending if it is different from active, I think it means that pending state is X versus current State. Basically setting booleans is a transaction based process, So you can set 5 booleans to 1 (Pending State) before you commit them.
How about if I change it's output to getsebool -a httpd_enable_homedirs --> active pending --> inactive httpd_ssi_exec --> active httpd_unified --> inactive mozilla_readhome --> active mozilla_writehome --> active named_write_master_zones --> inactive nfs_export_all_ro --> inactive nfs_export_all_rw --> inactive read_default_t --> active run_ssh_inetd --> inactive secure_mode --> inactive spamassasin_can_network --> inactive ssh_sysadm_login --> active staff_read_sysadm_file --> active use_nfs_home_dirs --> inactive user_direct_mouse --> inactive user_dmesg --> inactive user_net_control --> inactive user_ping --> active user_rw_noexattrfile --> active user_rw_usb --> active user_tcp_server --> active user_ttyfile_stat --> inactive xdm_sysadm_login --> inactive
Fixed in libselinux-1.19.1-2
fixed for some time now