173598 – default booleans not in effect after reboot

Bug 173598 - default booleans not in effect after reboot

Summary: default booleans not in effect after reboot

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-11-18 15:47 UTC by Alexandre Oliva
Modified:	2007-11-30 22:11 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2005-11-30 20:19:26 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Alexandre Oliva 2005-11-18 15:47:07 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8) Gecko/20051103 Fedora/1.5-0.5.0.rc1 Firefox/1.5

Description of problem:
Boolean defaults defined in /etc/selinux/targeted/booleans are not in effect when the system is brought up.  An NFS server, for example, won't let clients access mount points, because nfs_export_all_* are not enabled.  As soon as I run 

setsebool $(grep -v ^# /etc/selinux/targeted/booleans )

everything starts working as expected (modulo other known policy bugs :-)

I don't even have a booleans.local file, so that's not it.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.27.2-19

How reproducible:
Always

Steps to Reproduce:
1.Boot up
2.Check whether the default booleans are set

Actual Results:  They are not

Expected Results:  They should be

Additional info:

Comment 1 Daniel Walsh 2005-11-18 16:50:01 UTC

Did you install reference policy and then remove it?  If yes could you 
rm -rf /etc/selinux/targeted/modules?

This might be causing init to be confused and think you are running reference
policy.  Reference policy ignores the booleans file, because it gets compiled
into the policy.

Dan

Comment 2 Alexandre Oliva 2005-11-18 17:52:45 UTC

If you mean selinux-targeted-policy-2.0.0 that hit rawhide a few days ago and
was later downgraded, yes, I did.  Unfortunately, even after rm -rf
/etc/selinux/targeted/modules and a reboot, I still get:

getsebool -a | grep nfs
nfs_export_all_ro --> inactive
nfs_export_all_rw --> inactive
nfsd_disable_trans --> inactive
use_nfs_home_dirs --> inactive

whereas 

# grep nfs /etc/selinux/targeted/booleans
nfs_export_all_ro=1
nfs_export_all_rw=1
use_nfs_home_dirs=0

:-(

where is it that these booleans get set up?  I could try to debug it from there,
but I just can't figure out where they're supposed to be loaded.  Thanks,

Comment 3 Daniel Walsh 2005-11-18 18:26:33 UTC

In /etc/selinux/config, remove the
# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0

or set it to 1

See if that fixes it.

Comment 4 Alexandre Oliva 2005-11-19 02:01:21 UTC

Thank you very much, that did it.

I was about to close this as NOTABUG, but then I thought you might want to take
such downgrade cases into account in the reference package (if at all possible)
to avoid problems like the one I ran into.

Note You need to log in before you can comment on or make changes to this bug.