policycoreutils-3.6-4
- semanage: Reset active value when deleting boolean customizations Resolves: RHEL-126712
This commit is contained in:
Veronika Syncakova
parent
b04c04698f
commit
cdbcc69240
@ -0,0 +1,98 @@
|
||||
From da6f2522a8de5f2f5dc5970283298ec37445e759 Mon Sep 17 00:00:00 2001
|
||||
From: Vit Mojzis <vmojzis@redhat.com>
|
||||
Date: Mon, 1 Sep 2025 18:17:10 +0200
|
||||
Subject: [PATCH] semanage: Reset active value when deleting boolean
|
||||
customizations
|
||||
|
||||
Currently, removal of boolean local customizations leaves their current
|
||||
(active) value untouched.
|
||||
|
||||
After the removal is complete, semanage_bool_query will return the
|
||||
default value. But it needs to be called in a separate transaction.
|
||||
This makes the fix a bit awkward, but I have not found a way to query
|
||||
the default value before the first transation is committed.
|
||||
|
||||
Fixes:
|
||||
# getsebool smbd_anon_write
|
||||
smbd_anon_write --> off
|
||||
# semanage boolean -m1 smbd_anon_write
|
||||
# semanage boolean -D
|
||||
# getsebool smbd_anon_write
|
||||
smbd_anon_write --> on
|
||||
# manage boolean -l isemanage boolean --list | grep smbd_anon_write
|
||||
smbd_anon_write (on , off) Allow smbd to anon write
|
||||
|
||||
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
|
||||
---
|
||||
python/semanage/seobject.py | 43 +++++++++++++++++++++++++++++++++++++
|
||||
1 file changed, 43 insertions(+)
|
||||
|
||||
diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
|
||||
index 10963e81..6d6188fd 100644
|
||||
--- a/python/semanage/seobject.py
|
||||
+++ b/python/semanage/seobject.py
|
||||
@@ -2886,7 +2886,15 @@ class booleanRecords(semanageRecords):
|
||||
self.__delete(name)
|
||||
self.commit()
|
||||
|
||||
+ # New transaction to reset the boolean to its default value.
|
||||
+ # Calling __reset_value in the same transaction as the removal of
|
||||
+ # local customizations does nothing
|
||||
+ self.begin()
|
||||
+ self.__reset_value(name)
|
||||
+ self.commit()
|
||||
+
|
||||
def deleteall(self):
|
||||
+ deleted = []
|
||||
(rc, self.blist) = semanage_bool_list_local(self.sh)
|
||||
if rc < 0:
|
||||
raise ValueError(_("Could not list booleans"))
|
||||
@@ -2895,10 +2903,45 @@ class booleanRecords(semanageRecords):
|
||||
|
||||
for boolean in self.blist:
|
||||
name = semanage_bool_get_name(boolean)
|
||||
+ deleted.append(name)
|
||||
self.__delete(name)
|
||||
|
||||
self.commit()
|
||||
|
||||
+ # New transaction to reset all affected booleans to their default values.
|
||||
+ # Calling __reset_value in the same transaction as the removal of
|
||||
+ # local customizations does nothing
|
||||
+ self.begin()
|
||||
+
|
||||
+ for boolean in deleted:
|
||||
+ self.__reset_value(boolean)
|
||||
+
|
||||
+ self.commit()
|
||||
+
|
||||
+ # Set active value to default
|
||||
+ # Note: this needs to be called in a new transaction after removing local customizations
|
||||
+ # in order for semanage_bool_query to fetch the default value
|
||||
+ # (as opposed to the current one -- set by the local customizations)
|
||||
+ def __reset_value(self, name):
|
||||
+ name = selinux.selinux_boolean_sub(name)
|
||||
+
|
||||
+ (rc, k) = semanage_bool_key_create(self.sh, name)
|
||||
+ if rc < 0:
|
||||
+ raise ValueError(_("Could not create a key for %s") % name)
|
||||
+
|
||||
+ (rc, b) = semanage_bool_query(self.sh, k)
|
||||
+ if rc < 0:
|
||||
+ raise ValueError(_("Could not query boolean %s") % name)
|
||||
+
|
||||
+ semanage_bool_set_value(b, semanage_bool_get_value(b))
|
||||
+
|
||||
+ rc = semanage_bool_set_active(self.sh, k, b)
|
||||
+ if rc < 0:
|
||||
+ raise ValueError(_("Could not set active value of boolean %s") % name)
|
||||
+
|
||||
+ semanage_bool_key_free(k)
|
||||
+ semanage_bool_free(b)
|
||||
+
|
||||
def get_all(self, locallist=0):
|
||||
ddict = {}
|
||||
if locallist:
|
||||
--
|
||||
2.52.0
|
||||
|
||||
@ -11,7 +11,7 @@
|
||||
Summary: SELinux policy core utilities
|
||||
Name: policycoreutils
|
||||
Version: 3.6
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
License: GPL-2.0-or-later
|
||||
# https://github.com/SELinuxProject/selinux/wiki/Releases
|
||||
Source0: https://github.com/SELinuxProject/selinux/releases/download/3.6/selinux-3.6.tar.gz
|
||||
@ -57,6 +57,7 @@ Patch0018: 0018-python-semanage-Allow-modifying-records-on-add.patch
|
||||
Patch0019: 0019-python-semanage-Do-not-sort-local-fcontext-definitio.patch
|
||||
Patch0020: 0020-fixfiles-drop-unnecessary-line-endings.patch
|
||||
Patch0021: 0021-restorecond-always-add-0-to-ut_user.patch
|
||||
Patch0022: 0022-semanage-Reset-active-value-when-deleting-boolean-cu.patch
|
||||
# Patch list end
|
||||
Obsoletes: policycoreutils < 2.0.61-2
|
||||
Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138
|
||||
@ -466,6 +467,9 @@ The policycoreutils-restorecond package contains the restorecond service.
|
||||
%systemd_postun_with_restart restorecond.service
|
||||
|
||||
%changelog
|
||||
* Thu Jan 15 2026 Veronika Syncakova <vsyncako@redhat.com> - 3.6-4
|
||||
- semanage: Reset active value when deleting boolean customizations
|
||||
|
||||
* Mon Apr 28 2025 Petr Lautrbach <lautrbach@redhat.com> - 3.6-3
|
||||
- restorecond: always add '\0' to ut_user
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user