As reported in #123, setsebool immediately exits with an error if SELinux is disabled, preventing its use for setting boolean persistent values. In contrast, semanage boolean -m works on SELinux-disabled hosts. Change setsebool so that it can be used with the -P option (persistent changes) even if SELinux is disabled. In the SELinux-disabled case, disable the policy reload and skip setting of active boolean values, but set the persistent value in the policy store. Fixes: https://github.com/SELinuxProject/selinux/issues/123 Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx> --- policycoreutils/setsebool/setsebool.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/policycoreutils/setsebool/setsebool.c b/policycoreutils/setsebool/setsebool.c index 53d3566c..fed296ee 100644 --- a/policycoreutils/setsebool/setsebool.c +++ b/policycoreutils/setsebool/setsebool.c @@ -38,10 +38,7 @@ int main(int argc, char **argv) if (argc < 2) usage(); - if (is_selinux_enabled() <= 0) { - fputs("setsebool: SELinux is disabled.\n", stderr); - return 1; - } + reload = (is_selinux_enabled() > 0); while (1) { clflag = getopt(argc, argv, "PNV"); @@ -130,6 +127,7 @@ static int semanage_set_boolean_list(size_t boolcnt, semanage_bool_key_t *bool_key = NULL; int managed; int result; + int enabled = is_selinux_enabled(); handle = semanage_handle_create(); if (handle == NULL) { @@ -191,7 +189,7 @@ static int semanage_set_boolean_list(size_t boolcnt, boolean) < 0) goto err; - if (semanage_bool_set_active(handle, bool_key, boolean) < 0) { + if (enabled && semanage_bool_set_active(handle, bool_key, boolean) < 0) { fprintf(stderr, "Failed to change boolean %s: %m\n", boollist[j].name); goto err; -- 2.20.1
