On 08/31/2009 08:22 AM, Shintaro Fujiwara wrote:
> Thanks digging in topic that I pinted some time ago.
>
> Why don't you fix semodule to notice which module has permissive.
>
> I notice administrators in my program, i.e. segatex, when listing
> modules, list permissive modules.
>
> We tend to forget after we set some module permissive and it's quite
> convenient to set permissive when we get certain denied messages, but
> it's sad when we forgot we set certain module permissive.
>
> So, I think it's better to let administrators know which module has
> permissive module now when he typed "semodule -l ".
>
> Can anybody fix semodule to echo permissive module at the top and
> still echo list ?
>
>
> 2009/8/21 Chad Sellers <csellers@xxxxxxxxxx>:
>> Add code to semanage_direct_commit() to notice that the disable_dontaudit
>> flag has been changed and rebuild the policy if so.
>>
>> Currently, libsemanage doesn't notice that the disable_dontaudit flag is
>> set so it does not rebuild the policy. semodule got around this by calling
>> semanage_set_rebuild() explicitly, but libsemanage should really notice
>> that this has changed and rebuild appropriately.
>> ---
>> libsemanage/src/direct_api.c | 7 ++++++-
>> 1 files changed, 6 insertions(+), 1 deletions(-)
>>
>> diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
>> index d563841..0eab399 100644
>> --- a/libsemanage/src/direct_api.c
>> +++ b/libsemanage/src/direct_api.c
>> @@ -675,7 +675,7 @@ static int semanage_direct_commit(semanage_handle_t * sh)
>>
>> /* Declare some variables */
>> int modified = 0, fcontexts_modified, ports_modified,
>> - seusers_modified, users_extra_modified;
>> + seusers_modified, users_extra_modified, dontaudit_modified;
>> dbase_config_t *users = semanage_user_dbase_local(sh);
>> dbase_config_t *users_base = semanage_user_base_dbase_local(sh);
>> dbase_config_t *pusers_base = semanage_user_base_dbase_policy(sh);
>> @@ -694,6 +694,10 @@ static int semanage_direct_commit(semanage_handle_t * sh)
>>
>> /* Create or remove the disable_dontaudit flag file. */
>> path = semanage_path(SEMANAGE_TMP, SEMANAGE_DISABLE_DONTAUDIT);
>> + if (access(path, F_OK) == 0)
>> + dontaudit_modified = !(sepol_get_disable_dontaudit(sh->sepolh) == 1);
>> + else
>> + dontaudit_modified = (sepol_get_disable_dontaudit(sh->sepolh) == 1);
>> if (sepol_get_disable_dontaudit(sh->sepolh) == 1) {
>> FILE *touch;
>> touch = fopen(path, "w");
>> @@ -734,6 +738,7 @@ static int semanage_direct_commit(semanage_handle_t * sh)
>> modified |= bools->dtable->is_modified(bools->dbase);
>> modified |= ifaces->dtable->is_modified(ifaces->dbase);
>> modified |= nodes->dtable->is_modified(nodes->dbase);
>> + modified |= dontaudit_modified;
>>
>> /* If there were policy changes, or explicitly requested, rebuild the policy */
>> if (sh->do_rebuild || modified) {
>> --
>> 1.6.2.5
>>
>>
>> --
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
>> the words "unsubscribe selinux" without quotes as the message.
>>
>
>
>
seinfo --permissive
Will do this.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
