Project

Profile

Help

Issue #3347

closed

Advise users to use `setsebool` to set pulp_manage_rsync

Added by Ichimonji10 almost 7 years ago. Updated over 5 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
2.15.3
OS:
Triaged:
Yes
Groomed:
Yes
Sprint Candidate:
No
Tags:
Documentation, Pulp 2
Sprint:
Sprint 32
Quarter:

Description

On Fedora 27, the semanage executable can be used to set the default state of a boolean, but not its current state. To wit:

# semanage boolean --list | head -n 1
SELinux boolean                State  Default Description
# semanage boolean --modify --off pulp_manage_rsync
# semanage boolean --list | grep pulp_manage_rsync
pulp_manage_rsync              (off  ,  off)  Allow pulp to manage rsync
# semanage boolean --modify --on pulp_manage_rsync
# semanage boolean --list | grep pulp_manage_rsync
pulp_manage_rsync              (off  ,   on)  Allow pulp to manage rsync

Notice how semanage sets a policy's "default" state, but not its current state? In prior versions of Fedora, both the "state" and "default" fields would be updated by this command. To set the current state of a boolean, the setsebool command now has to be used:

# semanage boolean --list | grep pulp_manage_rsync
pulp_manage_rsync              (off  ,  off)  Allow pulp to manage rsync
# setsebool pulp_manage_rsync on
# semanage boolean --list | grep pulp_manage_rsync
pulp_manage_rsync              (on   ,  off)  Allow pulp to manage rsync

Note that this behaviour applies to other policies on F27, too. Here's another arbitrary policy that I arbitrarily picked out:

# semanage boolean --modify --on zoneminder_run_sudo
# semanage boolean --list | grep zoneminder_run_sudo
zoneminder_run_sudo            (off  ,   on)  Allow zoneminder to run sudo
# semanage boolean --modify --off zoneminder_run_sudo
# semanage boolean --list | grep zoneminder_run_sudo
zoneminder_run_sudo            (off  ,  off)  Allow zoneminder to run sudo

The docs currently advise using semanage here. Let's tell readers about setsebool too.

This change appears to be intentional. The system journal shows no errors. Here's the output of journalctl --follow for the time period in which semanage boolean --modify --on is executed:

-- Logs begin at Wed 2018-02-07 11:10:04 EST. --
Feb 07 12:26:07 fedora-27-pulp-2-16-nightly kernel: SELinux:  policy capability open_perms=1
Feb 07 12:26:07 fedora-27-pulp-2-16-nightly kernel: SELinux:  policy capability extended_socket_class=0
Feb 07 12:26:07 fedora-27-pulp-2-16-nightly kernel: SELinux:  policy capability always_check_network=0
Feb 07 12:26:07 fedora-27-pulp-2-16-nightly kernel: SELinux:  policy capability cgroup_seclabel=1
Feb 07 12:26:07 fedora-27-pulp-2-16-nightly kernel: SELinux:  policy capability nnp_nosuid_transition=1
Feb 07 12:26:07 fedora-27-pulp-2-16-nightly audit[710]: USER_AVC pid=710 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=21)
                                                         exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Feb 07 12:26:07 fedora-27-pulp-2-16-nightly audit: MAC_POLICY_LOAD policy loaded auid=0 ses=11
Feb 07 12:26:07 fedora-27-pulp-2-16-nightly dbus-daemon[710]: [system] Reloaded configuration
Feb 07 12:26:08 fedora-27-pulp-2-16-nightly audit[3829]: USER_START pid=3829 uid=0 auid=0 ses=11 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=? addr=192.168.101.1 terminal=/dev/pts/1 res=success'
Feb 07 12:26:08 fedora-27-pulp-2-16-nightly audit[3829]: CRYPTO_KEY_USER pid=3829 uid=0 auid=0 ses=11 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:0f:7f:33:2b:ba:6c:3a:16:47:19:de:04:1f:f7:1e:e1:61:53:9c:34:cd:0b:ea:dd:80:8d:30:66:1c:e4:a1:e9 direction=? spid=8428 suid=0  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux: 32768 avtab hash slots, 108540 rules.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux: 32768 avtab hash slots, 108540 rules.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  8 users, 14 roles, 5094 types, 318 bools, 1 sens, 1024 cats
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  97 classes, 108540 rules
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Permission getrlimit in class process not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class sctp_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class icmp_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class ax25_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class ipx_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class netrom_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class atmpvc_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class x25_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class rose_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class decnet_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class atmsvc_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class rds_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class irda_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class pppox_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class llc_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class can_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class tipc_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class bluetooth_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class iucv_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class rxrpc_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class isdn_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class phonet_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class ieee802154_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class caif_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class alg_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class nfc_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class vsock_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class kcm_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class qipcrtr_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class smc_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux: the above unknown classes and permissions will be allowed
Feb 07 12:26:20 fedora-27-pulp-2-16-nightly kernel: SELinux:  policy capability network_peer_controls=1
Feb 07 12:26:20 fedora-27-pulp-2-16-nightly kernel: SELinux:  policy capability open_perms=1
Feb 07 12:26:20 fedora-27-pulp-2-16-nightly kernel: SELinux:  policy capability extended_socket_class=0
Feb 07 12:26:20 fedora-27-pulp-2-16-nightly kernel: SELinux:  policy capability always_check_network=0
Feb 07 12:26:20 fedora-27-pulp-2-16-nightly kernel: SELinux:  policy capability cgroup_seclabel=1
Feb 07 12:26:20 fedora-27-pulp-2-16-nightly kernel: SELinux:  policy capability nnp_nosuid_transition=1
Feb 07 12:26:20 fedora-27-pulp-2-16-nightly audit[710]: USER_AVC pid=710 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=22)
                                                         exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Feb 07 12:26:20 fedora-27-pulp-2-16-nightly audit: MAC_POLICY_LOAD policy loaded auid=0 ses=11
Feb 07 12:26:20 fedora-27-pulp-2-16-nightly dbus-daemon[710]: [system] Reloaded configuration
</code>
Actions #2

Updated by dalley almost 7 years ago

  • Sprint/Milestone set to 54
  • Triaged changed from No to Yes
  • Groomed changed from No to Yes
Actions #3

Updated by bizhang almost 7 years ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to bizhang

Added by werwty almost 7 years ago

Revision d337f46f | View on GitHub

Advise users on using setsebool to set pulp_manage_rsync selinux boolean

F27+ changed the behavior of semanage to set a selinux boolean by default, but not change its current state.

re #3347 https://pulp.plan.io/issues/3347

Added by werwty almost 7 years ago

Revision b6f3f042 | View on GitHub

Advise users on using setsebool to set pulp_manage_rsync selinux boolean

F27+ changed the behavior of semanage to set a selinux boolean by default, but not change its current state.

re #3347 https://pulp.plan.io/issues/3347

Added by werwty almost 7 years ago

Revision b6f3f042 | View on GitHub

Advise users on using setsebool to set pulp_manage_rsync selinux boolean

F27+ changed the behavior of semanage to set a selinux boolean by default, but not change its current state.

re #3347 https://pulp.plan.io/issues/3347

Added by werwty almost 7 years ago

Revision b6f3f042 | View on GitHub

Advise users on using setsebool to set pulp_manage_rsync selinux boolean

F27+ changed the behavior of semanage to set a selinux boolean by default, but not change its current state.

re #3347 https://pulp.plan.io/issues/3347

Added by werwty almost 7 years ago

Revision b6f3f042 | View on GitHub

Advise users on using setsebool to set pulp_manage_rsync selinux boolean

F27+ changed the behavior of semanage to set a selinux boolean by default, but not change its current state.

re #3347 https://pulp.plan.io/issues/3347

Added by werwty almost 7 years ago

Revision 93f876bb | View on GitHub

Advise users on using setsebool to set pulp_manage_rsync selinux boolean

F27+ changed the behavior of semanage to set a selinux boolean by default, but not change its current state.

closes #3347 https://pulp.plan.io/issues/3347

Actions #5

Updated by werwty almost 7 years ago

  • Status changed from POST to MODIFIED
Actions #6

Updated by bmbouter over 6 years ago

  • Platform Release set to 2.15.3
Actions #7

Updated by bmbouter over 6 years ago

  • Sprint set to Sprint 32
Actions #8

Updated by bmbouter over 6 years ago

  • Sprint/Milestone deleted (54)

Added by werwty over 6 years ago

Revision a5dbbf3f | View on GitHub

Advise users on using setsebool to set pulp_manage_rsync selinux boolean

F27+ changed the behavior of semanage to set a selinux boolean by default, but not change its current state.

closes #3347 https://pulp.plan.io/issues/3347

(cherry picked from commit 93f876bb038ca7224fbdb0b2b522fb42cded5cbc)

Added by werwty over 6 years ago

Revision bc55e044 | View on GitHub

Advise users on using setsebool to set pulp_manage_rsync selinux boolean

F27+ changed the behavior of semanage to set a selinux boolean by default, but not change its current state.

re #3347 https://pulp.plan.io/issues/3347

(cherry picked from commit d337f46fe34528f0a20796ccdba0d75ebbe213a3)

Added by werwty over 6 years ago

Revision 1842120e | View on GitHub

Advise users on using setsebool to set pulp_manage_rsync selinux boolean

F27+ changed the behavior of semanage to set a selinux boolean by default, but not change its current state.

re #3347 https://pulp.plan.io/issues/3347

(cherry picked from commit b6f3f042d06077a844b35bfad8f1c752b4975d41)

Added by werwty over 6 years ago

Revision 1842120e | View on GitHub

Advise users on using setsebool to set pulp_manage_rsync selinux boolean

F27+ changed the behavior of semanage to set a selinux boolean by default, but not change its current state.

re #3347 https://pulp.plan.io/issues/3347

(cherry picked from commit b6f3f042d06077a844b35bfad8f1c752b4975d41)

Actions #10

Updated by bmbouter over 6 years ago

  • Status changed from MODIFIED to 5
Actions #11

Updated by bmbouter over 6 years ago

  • Status changed from 5 to CLOSED - CURRENTRELEASE
Actions #12

Updated by bmbouter over 5 years ago

  • Tags Pulp 2 added

Also available in: Atom PDF