On Mon, 2009-07-06 at 11:54 -0400, Christopher Pardy wrote: > The issue is that I need to know what the flag was set to on the last > commit. for this I don't want to look at the sandbox where the > inprogress files are stored I want to look at the file that gets > written post commit. Also this functionality cannot be put into > set_disable_dontaudit. Ok, let me clarify how libsemanage works: 1. Let DIR=/etc/selinux/$SELINUXTYPE/modules represent the policy store. 2. The files for the current, active policy live under $DIR/active/. 3. When you start a transaction, libsemanage creates a complete copy of $DIR/active to $DIR/tmp. 4. For each operation you perform within the transaction, libsemanage acts on that copy only. If you call semanage_set_disable_dontaudit() with a 0, then you'll remove the flag file within the copy; or if you call it with a 1, you'll create the flag file within the copy. If you implement semanage_get_disable_dontaudit() by testing for the existence of the flag file within the sandbox and it gets called by another process in a different transaction, it will still see the current, active setting. 5. When you commit, libsemanage moves $DIR/active to $DIR/previous, and moves $DIR/tmp to $DIR/active. Now the flag file is active. You don't need some external file for this, and you don't really want a sepol_get_disable_dontaudit() - it only tells you the transient in-memory setting from the last call to sepol_set_disable_dontaudit() on the same handle. You want to just test for the existence of the flag file in the store. Try it, and let me know if it doesn't actually work. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
