Features/SELinuxBooleansRename

From FedoraProject

< Features(Difference between revisions)
Jump to: navigation, search
(Moved to FeatureReadyForFesco, ticket #870)
(Current status)
 
(5 intermediate revisions by 2 users not shown)
Line 13: Line 13:
  
 
== Current status ==
 
== Current status ==
* Targeted release: [Fedora 18 ]  
+
* Targeted release: [Fedora 18]  
* Last updated: June 8 2012
+
* Last updated: Aug 13 2012
* Percentage of completion: 50%
+
* Percentage of completion: 100%
  
 
<!-- CHANGE THE "FedoraVersion" TEMPLATES ABOVE TO PLAIN NUMBERS WHEN YOU COMPLETE YOUR PAGE. -->
 
<!-- CHANGE THE "FedoraVersion" TEMPLATES ABOVE TO PLAIN NUMBERS WHEN YOU COMPLETE YOUR PAGE. -->
Line 84: Line 84:
 
<!-- The Fedora Release Notes inform end-users about what is new in the release.  Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ -->
 
<!-- The Fedora Release Notes inform end-users about what is new in the release.  Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ -->
 
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns.  If there are any such changes involved in this feature, indicate them here.  You can also link to upstream documentation if it satisfies this need.  This information forms the basis of the release notes edited by the documentation team and shipped with the release. -->
 
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns.  If there are any such changes involved in this feature, indicate them here.  You can also link to upstream documentation if it satisfies this need.  This information forms the basis of the release notes edited by the documentation team and shipped with the release. -->
*
+
* Several SELinux booleans names have been changed.  Mainly booleans beginning with allow_ will now begin with a domain specific name, for example allow_httpd_anon_write has been changed to httpd_anon_write.  If you set or get the old boolean name, it will continue to work, but the old boolean name will no longer show up in lists of booleans.
Several SELinux booleans names have been changed.  Mainly booleans beginning with allow_ will now begin with a domain specific name, for example allow_httpd_anon_write has been changed to httpd_anon_write.  If you set or get the old boolean name, it will continue to work, but the old boolean name will no longer show up in lists of booleans.
+
  
 
== Comments and Discussion ==
 
== Comments and Discussion ==
* See [[Talk:Features/Your_Feature_Name]]  <!-- This adds a link to the "discussion" tab associated with your page.  This provides the ability to have ongoing comments or conversation without bogging down the main feature page -->
+
* See [[Talk:Features/SELinuxBooleansRename]]  <!-- This adds a link to the "discussion" tab associated with your page.  This provides the ability to have ongoing comments or conversation without bogging down the main feature page -->
 
+
  
[[Category:FeatureReadyForFesco]]
+
[[Category:FeatureAcceptedF18]]
 
<!-- When your feature page is completed and ready for review -->
 
<!-- When your feature page is completed and ready for review -->
 
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler -->
 
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler -->
 
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete-->
 
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete-->
 
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process -->
 
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process -->

Latest revision as of 13:23, 27 September 2012

Contents

[edit] Feature Name

SELinux Rename Booleans Feature

[edit] Summary

Rename all booleans that currently begin with allow_ to something that is more domain specific.

[edit] Owner

  • Email: <dwalsh@redhat.com>

[edit] Current status

  • Targeted release: [Fedora 18]
  • Last updated: Aug 13 2012
  • Percentage of completion: 100%


[edit] Detailed Description

We want to rename the booleans in policy to better names. We need to modify libselinux to allow us to have a translation table to translate old names to new names. This will allow old boolean names to continue to work. Stale documentation and google searches for boolean names, will turn up old boolean names, so we need to be backward compatible.

[edit] Benefit to Fedora

Over the years as SELinux policy has evolved boolean names have been created somewhat randomly, the worst offender of these has been the allow_NAME booleans. We have slowly standardized on a format of DOMAIN_action name, but we still have lots of old badly named booleans. This fix will rename the booleans to something that makes better sense, but will continue to support the old booleans so scripts, documentation and web searches that return the old names will continue to work. Also if you are using an older system and wanted to set allow_polyinstantion on all platforms you will be able to set it on the new system, even thought the boolean name has been renamed to polyinstantion_enabled.


[edit] Scope

Need to change libselinux to support boolean translations. Need to modify selinux-policy to actually change the names. Need to modify man pages to reflect the changes. Might need to look at Fedora Documentation to make sure it reflects the change.

[edit] How To Test

Check boolean names using semanage boolean -l, and make sure none begin with allow_. Look at Fedora 17 and test some of the boolean names there that begin with allow_ and attempt to turn the boolean on using both semanage and setsebool.

setsebool -P allow_httpd_anon_write 1

Attempt to retrieve the boolean setting using getsebool

getsebool allow_ypbind


[edit] User Experience

They may notice that some of the boolean names have changed, if they use the old name it will continue to work, but if they look at all booleans they might not see some of the names they are used to. Overall I think this will positively effect users.

One big benefit will be for command completion.

setsebool -P http<TAB>

Should give a much better list of all booleans associated with the http domain.

[edit] Dependencies

None

[edit] Contingency Plan

No Problem. We can continue to use the old names.

[edit] Documentation

[edit] Release Notes

  • Several SELinux booleans names have been changed. Mainly booleans beginning with allow_ will now begin with a domain specific name, for example allow_httpd_anon_write has been changed to httpd_anon_write. If you set or get the old boolean name, it will continue to work, but the old boolean name will no longer show up in lists of booleans.

[edit] Comments and Discussion