From Fedora Project Wiki
(Moved to FeatureReadyForFesco, ticket #870)
(Moved to FeatureAcceptedF18, was accepted at 2012-06-18 FESCo meeting)
Line 13: Line 13:


== Current status ==
== Current status ==
* Targeted release: [Fedora 18 ]  
* Targeted release: [Fedora 18]  
* Last updated: June 8 2012
* Last updated: June 8 2012
* Percentage of completion: 50%
* Percentage of completion: 50%
Line 88: Line 88:


== Comments and Discussion ==
== Comments and Discussion ==
* See [[Talk:Features/Your_Feature_Name]]  <!-- This adds a link to the "discussion" tab associated with your page.  This provides the ability to have ongoing comments or conversation without bogging down the main feature page -->
* See [[Talk:Features/SELinuxBooleansRename]]  <!-- This adds a link to the "discussion" tab associated with your page.  This provides the ability to have ongoing comments or conversation without bogging down the main feature page -->


 
[[Category:FeatureAcceptedF18]]
[[Category:FeatureReadyForFesco]]
<!-- When your feature page is completed and ready for review -->
<!-- When your feature page is completed and ready for review -->
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler -->
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler -->
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete-->
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete-->
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process -->
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process -->

Revision as of 09:35, 19 June 2012

Feature Name

SELinux Rename Booleans Feature

Summary

Rename all booleans that currently begin with allow_ to something that is more domain specific.

Owner

  • Email: <dwalsh@redhat.com>

Current status

  • Targeted release: [Fedora 18]
  • Last updated: June 8 2012
  • Percentage of completion: 50%


Detailed Description

We want to rename the booleans in policy to better names. We need to modify libselinux to allow us to have a translation table to translate old names to new names. This will allow old boolean names to continue to work. Stale documentation and google searches for boolean names, will turn up old boolean names, so we need to be backward compatible.

Benefit to Fedora

Over the years as SELinux policy has evolved boolean names have been created somewhat randomly, the worst offender of these has been the allow_NAME booleans. We have slowly standardized on a format of DOMAIN_action name, but we still have lots of old badly named booleans. This fix will rename the booleans to something that makes better sense, but will continue to support the old booleans so scripts, documentation and web searches that return the old names will continue to work. Also if you are using an older system and wanted to set allow_polyinstantion on all platforms you will be able to set it on the new system, even thought the boolean name has been renamed to polyinstantion_enabled.


Scope

Need to change libselinux to support boolean translations. Need to modify selinux-policy to actually change the names. Need to modify man pages to reflect the changes. Might need to look at Fedora Documentation to make sure it reflects the change.

How To Test

Check boolean names using semanage boolean -l, and make sure none begin with allow_. Look at Fedora 17 and test some of the boolean names there that begin with allow_ and attempt to turn the boolean on using both semanage and setsebool.

setsebool -P allow_httpd_anon_write 1

Attempt to retrieve the boolean setting using getsebool

getsebool allow_ypbind


User Experience

They may notice that some of the boolean names have changed, if they use the old name it will continue to work, but if they look at all booleans they might not see some of the names they are used to. Overall I think this will positively effect users.

One big benefit will be for command completion.

setsebool -P http<TAB>

Should give a much better list of all booleans associated with the http domain.

Dependencies

None

Contingency Plan

No Problem. We can continue to use the old names.

Documentation

Release Notes

Several SELinux booleans names have been changed. Mainly booleans beginning with allow_ will now begin with a domain specific name, for example allow_httpd_anon_write has been changed to httpd_anon_write. If you set or get the old boolean name, it will continue to work, but the old boolean name will no longer show up in lists of booleans.

Comments and Discussion