Features/SELinuxBooleansRename

From FedoraProject

< Features(Difference between revisions)
Jump to: navigation, search
(Moved to FeatureAcceptedF18, was accepted at 2012-06-18 FESCo meeting)
(fixed a misaligned bulletpoint)
Line 84: Line 84:
 
<!-- The Fedora Release Notes inform end-users about what is new in the release.  Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ -->
 
<!-- The Fedora Release Notes inform end-users about what is new in the release.  Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ -->
 
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns.  If there are any such changes involved in this feature, indicate them here.  You can also link to upstream documentation if it satisfies this need.  This information forms the basis of the release notes edited by the documentation team and shipped with the release. -->
 
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns.  If there are any such changes involved in this feature, indicate them here.  You can also link to upstream documentation if it satisfies this need.  This information forms the basis of the release notes edited by the documentation team and shipped with the release. -->
*
+
* Several SELinux booleans names have been changed.  Mainly booleans beginning with allow_ will now begin with a domain specific name, for example allow_httpd_anon_write has been changed to httpd_anon_write.  If you set or get the old boolean name, it will continue to work, but the old boolean name will no longer show up in lists of booleans.
Several SELinux booleans names have been changed.  Mainly booleans beginning with allow_ will now begin with a domain specific name, for example allow_httpd_anon_write has been changed to httpd_anon_write.  If you set or get the old boolean name, it will continue to work, but the old boolean name will no longer show up in lists of booleans.
+
  
 
== Comments and Discussion ==
 
== Comments and Discussion ==

Revision as of 09:35, 19 June 2012

Contents

Feature Name

SELinux Rename Booleans Feature

Summary

Rename all booleans that currently begin with allow_ to something that is more domain specific.

Owner

  • Email: <dwalsh@redhat.com>

Current status

  • Targeted release: [Fedora 18]
  • Last updated: June 8 2012
  • Percentage of completion: 50%


Detailed Description

We want to rename the booleans in policy to better names. We need to modify libselinux to allow us to have a translation table to translate old names to new names. This will allow old boolean names to continue to work. Stale documentation and google searches for boolean names, will turn up old boolean names, so we need to be backward compatible.

Benefit to Fedora

Over the years as SELinux policy has evolved boolean names have been created somewhat randomly, the worst offender of these has been the allow_NAME booleans. We have slowly standardized on a format of DOMAIN_action name, but we still have lots of old badly named booleans. This fix will rename the booleans to something that makes better sense, but will continue to support the old booleans so scripts, documentation and web searches that return the old names will continue to work. Also if you are using an older system and wanted to set allow_polyinstantion on all platforms you will be able to set it on the new system, even thought the boolean name has been renamed to polyinstantion_enabled.


Scope

Need to change libselinux to support boolean translations. Need to modify selinux-policy to actually change the names. Need to modify man pages to reflect the changes. Might need to look at Fedora Documentation to make sure it reflects the change.

How To Test

Check boolean names using semanage boolean -l, and make sure none begin with allow_. Look at Fedora 17 and test some of the boolean names there that begin with allow_ and attempt to turn the boolean on using both semanage and setsebool.

setsebool -P allow_httpd_anon_write 1

Attempt to retrieve the boolean setting using getsebool

getsebool allow_ypbind


User Experience

They may notice that some of the boolean names have changed, if they use the old name it will continue to work, but if they look at all booleans they might not see some of the names they are used to. Overall I think this will positively effect users.

One big benefit will be for command completion.

setsebool -P http<TAB>

Should give a much better list of all booleans associated with the http domain.

Dependencies

None

Contingency Plan

No Problem. We can continue to use the old names.

Documentation

Release Notes

  • Several SELinux booleans names have been changed. Mainly booleans beginning with allow_ will now begin with a domain specific name, for example allow_httpd_anon_write has been changed to httpd_anon_write. If you set or get the old boolean name, it will continue to work, but the old boolean name will no longer show up in lists of booleans.

Comments and Discussion