733453 – semange reports incorrect boolean value when default value changes

Bug 733453 - semange reports incorrect boolean value when default value changes

Summary: semange reports incorrect boolean value when default value changes

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	policycoreutils
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-08-25 18:17 UTC by Garrett Holmstrom
Modified:	2011-09-06 20:33 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-09-06 20:33:17 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Minimal test policy for bug #733453 (71 bytes, application/octet-stream) 2011-08-25 19:47 UTC, Garrett Holmstrom	no flags	Details
View All

Description Garrett Holmstrom 2011-08-25 18:17:25 UTC

Description of problem:
When a system loads a policy with a boolean that defaults to on and then a policy update changes the default value to off, semanage reports it as off even though it is still on.


Version-Release number of selected component (if applicable):
policycoreutils-python-2.0.86-7.fc15.x86_64


Steps to Reproduce:
1. Load a policy with a boolean that defaults to on
2. Edit the policy to make that boolean default to off, then load the edited version
3. Inspect the value reported by ``semanage boolean -l''


Actual results:
test_policy_bool -> off test_policy_bool


Expected results:
test_policy_bool -> on test_policy_bool


Additional info:
I have not tested this with a system that has explicitly set the boolean in question.

Comment 1 Daniel Walsh 2011-08-25 18:37:44 UTC

I am not sure I believe you, I will have to check, but the command is currently broken in that it shows you the default state as written in policy and not the current state of the system.

# setsebool  git_system_use_cifs  on
# getsebool git_system_use_cifs 
git_system_use_cifs --> on
# semanage boolean -l | grep git_system_use_cifs
git_system_use_cifs            -> off   Allow Git daemon system to access cifs file systems.

Which looks semanage is actually reading the policy as stored on disk.  The tool should be changed to show the current state versus the default state


Could you attach your policy?

Comment 2 Garrett Holmstrom 2011-08-25 19:47:26 UTC

Created attachment 519972 [details]
Minimal test policy for bug #733453

Comment 3 Garrett Holmstrom 2011-08-25 21:09:05 UTC

The policy I used to test, when first loaded, has only a tunable that defaults to on:

> policy_module(test_policy, 1.0.0)
> gen_tunable(test_policy_bool, true)

At that point semanage reports it as on:

semanage boolean -l | grep test_policy
test_policy_bool               -> on    test_policy_bool

The edited policy changes the default and bumps the policy version:

> policy_module(test_policy, 1.1.0)
> gen_tunable(test_policy_bool, false)

And then semanage and getsebool disagree:

# semanage boolean -l | grep test_policy
test_policy_bool               -> off   test_policy_bool
# getsebool test_policy_bool
test_policy_bool --> on

Of course if semanage is *supposed* to report only the state on disk then this probably isn't a bug at all.

Comment 4 Daniel Walsh 2011-08-26 18:54:10 UTC

Correct the code is working correctly, but the semanage command should be changed to report the current state as well as the default state, (state on disk.

Comment 5 Daniel Walsh 2011-09-06 20:33:17 UTC

Fixed in policycoreutils-2.1.5-2.fc17.x86_64

Note You need to log in before you can comment on or make changes to this bug.