Bug 994131 - add ability to set boolean options when selinux is disabled
add ability to set boolean options when selinux is disabled
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: policycoreutils (Show other bugs)
20
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 988855
  Show dependency treegraph
 
Reported: 2013-08-06 10:43 EDT by Joey Boggs
Modified: 2015-01-05 04:40 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-01-05 04:40:31 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Joey Boggs 2013-08-06 10:43:11 EDT
Description of problem:
When installing an rpm that sets boolean options in %post and selinux is disabled it will fail to do so. This presents a problem when selinux is later enabled and those things don't work properly. Adding an additional option for offline saving is needed.

Version-Release number of selected component (if applicable):
policycoreutils-2.1.14-46.4.fc19.x86_64

How reproducible:
Use case in this scenario is complicated. Involves using a tool to open a livecd image installing an rpm in the chroot where selinux is not running. Once the image is packed back up selinux will work hoever those options will not be enabled.

Simple case of disabling selinux, attempting setsebool, renable selinux and those options working should be fine.


Actual results:
setsebool options are at default settings

Expected results:
boolean options set on/off as required
Comment 1 Daniel Walsh 2013-08-07 14:17:58 EDT
Does 
# semanage boolean --on boolean
work?
Comment 2 Fedora End Of Life 2013-09-16 12:25:55 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 20 development cycle.
Changing version to '20'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora20
Comment 3 Fabian Deutsch 2014-11-04 13:29:42 EST
Yaniv, could this maybe help vdsm to set the booleans in post?
Comment 4 Mooli Tayer 2014-11-08 03:44:15 EST
Daniel:
$ cat /etc/fedora-release 
Fedora release 21 (Twenty One)

$ rpm -qv policycoreutils-python 
policycoreutils-python-2.3-7.1.fc21.x86_64

$ sestatus
SELinux status:                 disabled

mtayer@dhcp-1-3:~$ sudo semanage boolean -m --on virt_use_samba
SELinux:  Could not downgrade policy file /etc/selinux/targeted/policy/policy.29, searching for an older version.
SELinux:  Could not open policy file <= /etc/selinux/targeted/policy/policy.29:  No such file or directory
/sbin/load_policy:  Can't load policy:  No such file or directory
libsemanage.semanage_reload_policy: load_policy returned error code 2.
SELinux:  Could not downgrade policy file /etc/selinux/targeted/policy/policy.29, searching for an older version.
SELinux:  Could not open policy file <= /etc/selinux/targeted/policy/policy.29:  No such file or directory
/sbin/load_policy:  Can't load policy:  No such file or directory
libsemanage.semanage_reload_policy: load_policy returned error code 2.
OSError: Error

Daniel: is it supposed to work?
(currently we assume it isn't)

Fabian:
It will make things easier, but it is not needed:
as of a recent change[1] we setup booleans only when selinux is enabled.
Then, when vdsm starts we check again if selinux is enabled and if so we
test the booleans and abort if they are not configured (telling the user to run
vdsm-tool). thus this might save us the tests, and for the user save the need
to run vdsm-tool after he enables selinux.

[1] http://gerrit.ovirt.org/#/c/34463/
Comment 5 Yaniv Bronhaim 2014-11-11 05:12:21 EST
afaiu from comment #4 this change does not allow to set the boolean when selinux is disabled. therefore this does not help in any way but may help to avoid the exception we faced recently (which might be nice but we use seobject package that should updated with that and then we can require that version in that case)

anyhow, the issue doesn't look better with this fix. anyhow we need to reset the booleans once selinux is enabled on system.
Comment 6 Daniel Walsh 2015-01-02 09:17:37 EST
semanage boolean -N 

Should help.
Comment 7 Mooli Tayer 2015-01-04 05:01:56 EST
(In reply to Daniel Walsh from comment #6)
> semanage boolean -N 
> 
> Should help.

Works for me on fe20.

# rpm -qa | grep policycoreutils
policycoreutils-python-2.2.5-4.fc20.x86_64
policycoreutils-2.2.5-4.fc20.x86_64
# sestatus
SELinux status:                 disabled
# sudo semanage boolean -m --on virt_use_samba

Above exception - comment 4

# sudo semanage boolean -N -m --on virt_use_samba
#

vdsm should make use of this option too.

Note You need to log in before you can comment on or make changes to this bug.