In case there are errors when committing changes to booleans, the
errors may not be reported to user except by nonzero exit status. With
"setsebool -V" it's possible to see errors from commit phase, but
otherwise the unfixed command is silent:
# setsebool -V -P secure_mode_insmod=off
libsemanage.semanage_install_final_tmp: Could not copy /var/lib/selinux/final/default/contexts/files/file_contexts to /etc/selinux/default/contexts/files/file_contexts. (Read-only file system).
libsemanage.semanage_install_final_tmp: Could not copy /var/lib/selinux/final/default/contexts/files/file_contexts to /etc/selinux/default/contexts/files/file_contexts. (Read-only file system).
Fixed version alerts the user about problems even without -V:
# setsebool -P secure_mode_insmod=off
Failed to commit changes to booleans: Read-only file system
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
As reported in #123, setsebool immediately exits with an error if
SELinux is disabled, preventing its use for setting boolean persistent
values. In contrast, semanage boolean -m works on SELinux-disabled
hosts. Change setsebool so that it can be used with the -P option
(persistent changes) even if SELinux is disabled. In the SELinux-disabled
case, skip setting of active boolean values, but set the persistent value
in the policy store. Policy reload is automatically disabled by libsemanage
when SELinux is disabled, so we only need to call semanage_set_reload()
if -N was used.
Fixes: https://github.com/SELinuxProject/selinux/issues/123
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
If one were to use multiple options such as both -P and -N we would have
problems. The issue is that for some reason instead of looking at
optind (the first non-option) we were looking at argc-optind. These
happen to be the same if there are 0 or 1 options, but doesn't work with
more than 1 option.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Fix setsebool to use -N to not reload policy into the kernel optional on
permanant changes.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Add a different error message when setsebool is unable to run because
the user is not root. This just helps people who try to change booleans
based on setroubleshoot output and don't know what went wrong.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Topi Miettinen
Unto Sten
Stephen Smalley
Nicolas Iooss
Dan Walsh
Eric Paris
Joshua Brindle