SELinux Rename Booleans Feature
Rename all booleans that currently begin with allow_ to something that is more domain specific.
- Name: Daniel Walsh
- Email: <firstname.lastname@example.org>
- Targeted release: [Fedora 18]
- Last updated: June 8 2012
- Percentage of completion: 50%
We want to rename the booleans in policy to better names. We need to modify libselinux to allow us to have a translation table to translate old names to new names. This will allow old boolean names to continue to work. Stale documentation and google searches for boolean names, will turn up old boolean names, so we need to be backward compatible.
Benefit to Fedora
Over the years as SELinux policy has evolved boolean names have been created somewhat randomly, the worst offender of these has been the allow_NAME booleans. We have slowly standardized on a format of DOMAIN_action name, but we still have lots of old badly named booleans. This fix will rename the booleans to something that makes better sense, but will continue to support the old booleans so scripts, documentation and web searches that return the old names will continue to work. Also if you are using an older system and wanted to set allow_polyinstantion on all platforms you will be able to set it on the new system, even thought the boolean name has been renamed to polyinstantion_enabled.
Need to change libselinux to support boolean translations. Need to modify selinux-policy to actually change the names. Need to modify man pages to reflect the changes. Might need to look at Fedora Documentation to make sure it reflects the change.
How To Test
Check boolean names using semanage boolean -l, and make sure none begin with allow_. Look at Fedora 17 and test some of the boolean names there that begin with allow_ and attempt to turn the boolean on using both semanage and setsebool.
setsebool -P allow_httpd_anon_write 1
Attempt to retrieve the boolean setting using getsebool
They may notice that some of the boolean names have changed, if they use the old name it will continue to work, but if they look at all booleans they might not see some of the names they are used to. Overall I think this will positively effect users.
One big benefit will be for command completion.
setsebool -P http<TAB>
Should give a much better list of all booleans associated with the http domain.
No Problem. We can continue to use the old names.
Several SELinux booleans names have been changed. Mainly booleans beginning with allow_ will now begin with a domain specific name, for example allow_httpd_anon_write has been changed to httpd_anon_write. If you set or get the old boolean name, it will continue to work, but the old boolean name will no longer show up in lists of booleans.