Bug 138457 - setsebool -P segfaults
setsebool -P segfaults
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: libselinux (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-11-09 08:46 EST by James Laska
Modified: 2013-09-02 02:02 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-01-18 07:43:23 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
strace setsebool -P (2.97 KB, text/plain)
2004-11-09 08:46 EST, James Laska
no flags Details

  None (edit)
Description James Laska 2004-11-09 08:46:54 EST
Created attachment 106325 [details]
strace setsebool -P
Comment 1 James Laska 2004-11-09 08:46:54 EST
Installed FC3 (ran yum update against the rawhide-latest).  I have the following
packages of interest installed:

checkpolicy-1.18.1-1.i386
libselinux-1.18.1-4.i386
selinux-policy-targeted-1.18.2-1.noarch
policycoreutils-1.18.1-1.i386
selinux-policy-targeted-sources-1.18.2-1.noarch
libselinux-devel-1.18.1-4.i386
system-config-securitylevel-1.4.17-1.i386

I ran system-config-securitylevel to tinker with the SELinux related booleans. 
After closing the application, I noticed that getsebool indicated that there
were pending changes.  I attempted to run setsebool -P to activate all pending
changes and the program segfaults.  I am attaching the strace output of the
setsebool segfault.

[root@flatline ~]# rpm -q libselinux
libselinux-1.18.1-4

[root@flatline ~]# getsebool -a
allow_ypbind --> active: 0 pending: 0
dhcpd_disable_trans --> active: 0 pending: 0
httpd_disable_trans --> active: 0 pending: 0
httpd_enable_cgi --> active: 1 pending: 1
httpd_enable_homedirs --> active: 1 pending: 1
httpd_ssi_exec --> active: 1 pending: 1
httpd_unified --> active: 1 pending: 1
named_disable_trans --> active: 0 pending: 0
named_write_master_zones --> active: 0 pending: 0
nscd_disable_trans --> active: 0 pending: 0
ntpd_disable_trans --> active: 0 pending: 0
portmap_disable_trans --> active: 0 pending: 0
snmpd_disable_trans --> active: 0 pending: 0
squid_disable_trans --> active: 0 pending: 0
syslogd_disable_trans --> active: 0 pending: 0
use_nfs_home_dirs --> active: 0 pending: 0
ypbind_disable_trans --> active: 0 pending: 0

[root@flatline ~]# setsebool -P
Segmentation fault

[root@flatline ~]# strace -o /tmp/setsebool.strace setsebool -P
Comment 2 Daniel Walsh 2004-11-11 08:57:41 EST
Fixed in libselinux-1.19.1-1.i386.rpm

Comment 3 James Laska 2004-11-11 09:03:17 EST
from setsebool(8)

       If  the  -P  option  is  given,  all  pending values are written to the
       boolean file on disk.

$ setsebool -P

Usage:  setsebool [ -P ] boolean value | bool1=val1 bool2=val2...

$ getsebool -a | grep -v "pending: 0"
httpd_enable_cgi --> active: 1 pending: 1
httpd_enable_homedirs --> active: 1 pending: 1
httpd_ssi_exec --> active: 1 pending: 1
httpd_unified --> active: 1 pending: 1


Appears that something isn't right.  Is the -P switch documented or working by
design?
Comment 4 Daniel Walsh 2004-11-11 09:16:50 EST
This is probably more of a bug in getsebool then setsebool.

The -P qualified just updates the booleans config file so the next
policy load or reboot maintains the boolean setting.

Maybe getsebool should only show pending if it is different from
active, I think it means that pending state is X versus current State.

Basically setting booleans is a transaction based process,  So you can
set 5 booleans to 1 (Pending State) before you commit them.

Comment 5 Daniel Walsh 2004-11-11 09:24:49 EST
How about if I change it's output to 

getsebool -a
httpd_enable_homedirs --> active pending --> inactive
httpd_ssi_exec --> active
httpd_unified --> inactive
mozilla_readhome --> active
mozilla_writehome --> active
named_write_master_zones --> inactive
nfs_export_all_ro --> inactive
nfs_export_all_rw --> inactive
read_default_t --> active
run_ssh_inetd --> inactive
secure_mode --> inactive
spamassasin_can_network --> inactive
ssh_sysadm_login --> active
staff_read_sysadm_file --> active
use_nfs_home_dirs --> inactive
user_direct_mouse --> inactive
user_dmesg --> inactive
user_net_control --> inactive
user_ping --> active
user_rw_noexattrfile --> active
user_rw_usb --> active
user_tcp_server --> active
user_ttyfile_stat --> inactive
xdm_sysadm_login --> inactive
Comment 6 Daniel Walsh 2004-11-17 16:40:51 EST
Fixed in libselinux-1.19.1-2
Comment 7 James Laska 2005-01-18 07:43:23 EST
fixed for some time now

Note You need to log in before you can comment on or make changes to this bug.