> From: Stephen Smalley [mailto:sds@xxxxxxxxxxxxx] > > On Tue, 2009-07-07 at 10:41 -0400, Christopher Pardy wrote: > > On 07/07/2009 10:20 AM, Stephen Smalley wrote: > > > On Tue, 2009-07-07 at 09:48 -0400, Christopher Pardy wrote: > > >> Currently any changes made to the policy which require > committing a handle cause dontaudit rules to be disabled. > This is confusing, and frustrating for users who want to edit > policy with dontaudit rules turned off. This patch allows > semanage to remember the last state of the dontaudit rules > and apply them as default whenever a handle is created. > Additionally other functions may check for the file semanage > creates to determine if dontaudit rules are turned on. This > knowledge can be useful for tools like SETroubleshoot which > may want to change their behavior depending on the state of > the dontaudit rules. In the event that a the file cannot be > created the dontaudit rules dont change and errors are set. > > >> > > >> Signed-off-by: Christopher Pardy <cpardy@xxxxxxxxxx> > > > > > > As before: > > > 1. Move the logic to initialize the flag from > > > semanage_handle_create() to semanage_direct_connect() > after the semanage_access_check() call. > > > 2. Justify why we need to call set_disable_dontaudit_flag() from > > > semanage_commit() - it should have been initialized upon > connect and > > > can only change upon semanage_set_disable_dontaudit() and thus > > > should already be correct. If we truly do need it, move to > > > semanage_direct_commit(), but explain why first please - > I don't see > > > the rationale (better yet, test without it and > demonstrate that it > > > doesn't work otherwise!). > > > > 1. If I do that then the disable_dontaudit handle will not be > > correctly set when the handle is created and the > > semanage_get_disable_dontaudit value will be wrong. More > importantly > > it may change when semanage_connect() is called. That > behavior would > > be incorrect. > Additionally just calling semanage_connect() doesn't give you the ability to write files, you must start a transaction to get a writable copy of the store, then the dontaudit_flag can write to the file and commit will move the temporary store back into place. The resulting 'active' store will have the file set and the policy will have been rebuilt without dontaudits. The file never needs to leave the store (it will be private to libsemanage and will require semanage_connect() to be called before reading the state). > Why? semanage_connect() has to be called before you first > access the file store. No other file in the file store is > even read up until that time. And, no, it cannot be changed > before semanage_connect() is called > - that has to happen before you do anything else. > > > 2. We must call set_disable_dontaudit_flag() following a commit > > because although the flag will correctly represent the changes made > > via libsemanage any changes via libsepol will not be > reflected. I'll > > move this call to semanage_direct_commit(). > Libsepol isn't used to change the policy by outside applications, it is used only internally by libsemanage. You shouldn't be calling any libsepol functions (as Steve says below). Libsepol already has the flag to remove dontaudits and that flag will be called only by libsemanage, not by any client application. Libsepol will not be aware of the disable_dontaudit file nor should it. > The application doesn't get the libsepol handle and can't > affect it directly. The libsepol handle is private to > libsemanage. It can't > happen. Really. > > You might try listening to the people who have been > maintaining the code for a long time, you know... > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
