On 07/02/2009 08:39 AM, Stephen Smalley wrote:
On Wed, 2009-07-01 at 22:11 -0400, Christopher Pardy wrote:
On 07/01/2009 10:08 PM, Christopher Pardy wrote:
This is a heavily modified version of the patch I recently submitted.
It provides 3 new functions: in libsepol sepol_get_disable_dontaudit;
in libsemanage semanage_get_disable_dontaudit; in libselinux
is_dontaudit_disabled. It also fixes issues with the previous patch.
The justification for this patch is the same as the one I posted
earlier. Simply, there is currently no way to know if dontaudit rules
are enabled. Additionally once don't audit rules are turned they turn
themselves off after policy rebuild (is that the desired
functionality?) This patch provides a way to check on both the
current and pending state of the dontaudit rules and it maintains this
state between policy rebuilds.
Signed-off-by Christopher Pardy <cpardy@xxxxxxxxxx>
Patch 1 implements libsepol function. Including inline and attaching in
case thunderbird messes up tabs.
It did. But allegedly one can configure it to work, e.g. read:
http://lxr.linux.no/linux+v2.6.30/Documentation/email-clients.txt
diff -urN selinux.orig/libsepol/include/sepol/handle.h
selinux/libsepol/include/sepol/handle.h
--- selinux.orig/libsepol/include/sepol/handle.h 2009-07-01
21:05:26.823235749 -0400
+++ selinux/libsepol/include/sepol/handle.h 2009-07-01
21:08:33.277237031 -0400
@@ -7,6 +7,12 @@
/* Create and return a sepol handle. */
sepol_handle_t *sepol_handle_create(void);
+/* Get whether or not dontaudits will be disabled, same values as
+ * specified by disable dont audit. This value reflects the state
+ * your system will be set to upon commit, not nessesarily it's
+ * current state.*/
+int sepol_get_disable_dontaudit(sepol_handle_t * sh);
I don't understand why we would export this, as it is a transient
setting only meaningful within a transaction and the caller should know
whether or not he has set or cleared it already.
Yes the caller should know, this patch simply provides function
symmetry between get and set functions. It also allows the other part
of this patch to actually work as the caller might not know what the
value has been set to by default. Also although we assume the caller
has remembered when using the terminal commands when programs are
modifying this value it seems redundant to force them to store a flag
when the ability to read the flag in the handle is so trivial.
+
/* Set whether or not to disable dontaudits, 0 is default and does
* not disable dontaudits, 1 disables them */
void sepol_set_disable_dontaudit(sepol_handle_t * sh, int
disable_dontaudit);
diff -urN selinux.orig/libsepol/src/handle.c selinux/libsepol/src/handle.c
--- selinux.orig/libsepol/src/handle.c 2009-07-01 21:05:26.854236864
-0400
+++ selinux/libsepol/src/handle.c 2009-07-01 21:07:15.532236991 -0400
@@ -21,6 +21,12 @@
return sh;
}
+int sepol_get_disable_dontaudit(sepol_handle_t *sh)
+{
+ assert(sh !=NULL);
+ return sh->disable_dontaudit;
+}
+
void sepol_set_disable_dontaudit(sepol_handle_t * sh, int
disable_dontaudit)
{
assert(sh !=NULL);
diff -urN selinux.orig/libsepol/src/libsepol.map
selinux/libsepol/src/libsepol.map
--- selinux.orig/libsepol/src/libsepol.map 2009-07-01
21:05:26.848236011 -0400
+++ selinux/libsepol/src/libsepol.map 2009-07-01 21:07:45.948485729 -0400
@@ -12,6 +12,7 @@
sepol_policydb_*; sepol_set_policydb_from_file;
sepol_policy_kern_*;
sepol_policy_file_*;
+ sepol_get_disable_dontaudit;
sepol_set_disable_dontaudit;
sepol_set_expand_consume_base;
local: *;
|
