SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Skip Research Menus

Research Menu

Research Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Re: [ SELINUX ] [ POLICYCOREUTILS ] Convert setsebool -P to use libsemanage This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] [ Next in thread ] [ Replies ] From: Ivan Gyurdiev <ivg2_at_cornell.edu> Date: Fri, 04 Nov 2005 16:54:00 -0500 Stephen Smalley wrote: > On Fri, 2005-11-04 at 11:12 -0500, Stephen Smalley wrote: > >> Then the options would seem to be: >> 1) Have libsemanage internally detect whether the sandbox has been >> initialized, and if not, fall back to calling the libselinux function to >> manipulate booleans.local, or >> 2) Have libsemanage provide an interface (is_semanage_enabled?) to allow >> setsebool to detect whether the system is "managed" via libsemanage >> (i.e. has the sandbox been initialized via prior semodule -b), and have >> setsebool use that interface and fall back to calling the libselinux >> function if it is not enabled. >> >> Note that libsemanage (and thus semanage.conf) will be present on the >> system regardless of whether or not the system is "managed" using it >> since policycoreutils depends on it now. >> > > I think I favor #1, as this is a legacy issue that is only going to > exist for booleans. When someone creates a setseport or setseinterface > or ..., they are just going to use the semanage interfaces, and if the > system isn't managed via libsemanage, it simply isn't going to work > (i.e. there is no fallback mechanism, as such support didn't exist prior > to the introduction of libsemanage). Thus, setsebool should likewise > unconditionally use the semanage interfaces, and libsemanage should > internally route the requests to the old libselinux interfaces if the > system isn't managed for legacy support. > I'm not sure that this makes sense... let's get to back to the reason _why_ the sandbox is uninitialized - it's because we haven't copied the proper files into the sandbox yet. Falling back to other functions seems equivalent to doing the initialization ourselves - copy the proper files into the sandbox. We could just do that instead, but I'm not sure it's a good idea. It would require the same privileges.... -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Fri 4 Nov 2005 - 16:47:25 EST This message: [ Message body ] Next message: Ivan Gyurdiev: "Re: [ SELINUX ] [ POLICYCOREUTILS ] Convert setsebool -P to use libsemanage" Previous message: Stephen Smalley: "Re: [ SEMANAGE ] Assert whitespace between records" In reply to: Stephen Smalley: "Re: [ SELINUX ] [ POLICYCOREUTILS ] Convert setsebool -P to use libsemanage" Next in thread: Ivan Gyurdiev: "Re: [ SELINUX ] [ POLICYCOREUTILS ] Convert setsebool -P to use libsemanage" Reply: Ivan Gyurdiev: "Re: [ SELINUX ] [ POLICYCOREUTILS ] Convert setsebool -P to use libsemanage" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom