On Thu, Jan 10, 2019 at 5:24 PM Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > > As reported in #123, setsebool immediately exits with an error if > SELinux is disabled, preventing its use for setting boolean persistent > values. In contrast, semanage boolean -m works on SELinux-disabled > hosts. Change setsebool so that it can be used with the -P option > (persistent changes) even if SELinux is disabled. In the SELinux-disabled > case, skip setting of active boolean values, but set the persistent value > in the policy store. Policy reload is automatically disabled by libsemanage > when SELinux is disabled, so we only need to call semanage_set_reload() > if -N was used. > > Fixes: https://github.com/SELinuxProject/selinux/issues/123 > Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx> > --- > v2 changes setsebool to only call semanage_set_reload() if -N was specified; > otherwise we can use the libsemanage defaults just as we do in semodule > and semanage. Acked-by: Nicolas Iooss <nicolas.iooss@xxxxxxx> > policycoreutils/setsebool/setsebool.c | 15 ++++++--------- > 1 file changed, 6 insertions(+), 9 deletions(-) > > diff --git a/policycoreutils/setsebool/setsebool.c b/policycoreutils/setsebool/setsebool.c > index 53d3566c..a5157efc 100644 > --- a/policycoreutils/setsebool/setsebool.c > +++ b/policycoreutils/setsebool/setsebool.c > @@ -18,7 +18,7 @@ > #include <errno.h> > > int permanent = 0; > -int reload = 1; > +int no_reload = 0; > int verbose = 0; > > int setbool(char **list, size_t start, size_t end); > @@ -38,11 +38,6 @@ int main(int argc, char **argv) > if (argc < 2) > usage(); > > - if (is_selinux_enabled() <= 0) { > - fputs("setsebool: SELinux is disabled.\n", stderr); > - return 1; > - } > - > while (1) { > clflag = getopt(argc, argv, "PNV"); > if (clflag == -1) > @@ -53,7 +48,7 @@ int main(int argc, char **argv) > permanent = 1; > break; > case 'N': > - reload = 0; > + no_reload = 1; > break; > case 'V': > verbose = 1; > @@ -130,6 +125,7 @@ static int semanage_set_boolean_list(size_t boolcnt, > semanage_bool_key_t *bool_key = NULL; > int managed; > int result; > + int enabled = is_selinux_enabled(); > > handle = semanage_handle_create(); > if (handle == NULL) { > @@ -191,7 +187,7 @@ static int semanage_set_boolean_list(size_t boolcnt, > boolean) < 0) > goto err; > > - if (semanage_bool_set_active(handle, bool_key, boolean) < 0) { > + if (enabled && semanage_bool_set_active(handle, bool_key, boolean) < 0) { > fprintf(stderr, "Failed to change boolean %s: %m\n", > boollist[j].name); > goto err; > @@ -202,7 +198,8 @@ static int semanage_set_boolean_list(size_t boolcnt, > boolean = NULL; > } > > - semanage_set_reload(handle, reload); > + if (no_reload) > + semanage_set_reload(handle, 0); > if (semanage_commit(handle) < 0) > goto err; > > -- > 2.20.1 >
