Discussion:
semanage question/confusion
Ed Greshko
2018-03-13 13:45:15 UTC
Permalink
A while back I needed virtmanager to access an ISO file which resides on an NFS
mount.  So, I enabled virt_use_nfs.

Today I was doing some research to help someone else and I noticed that "semanage
boolean -l" shows.

virt_use_nfs                   (on  ,  on)  Allow virt to use nfs

According to the header of the output the first "on" is the state while the second is
default.  Since I had to enable it I would have thought I would see

virt_use_nfs                   (on  ,  off)  Allow virt to use nfs

Am I missing something?
--
Conjecture is just a conclusion based on incomplete information. It isn't a fact.
   
Lukas Vrabec
2018-03-13 15:14:51 UTC
Permalink
Post by Ed Greshko
A while back I needed virtmanager to access an ISO file which resides on an NFS
mount.  So, I enabled virt_use_nfs.
Today I was doing some research to help someone else and I noticed that "semanage
boolean -l" shows.
virt_use_nfs                   (on  ,  on)  Allow virt to use nfs
According to the header of the output the first "on" is the state while the second is
default.  Since I had to enable it I would have thought I would see
virt_use_nfs                   (on  ,  off)  Allow virt to use nfs
Am I missing something?
Hi Ed,

It's because "semanage boolean -m " will modify actual state and also
default value which is important for reboot.

Next tool for changing values of boolean is "setsebool" if you use:

# setsebool virt_use_nfs=1 ; this will turn on mentioned boolean but it
will be off after reboot.

# setsebool -P virt_use_nfs=1 ; will turn on mentioned boolean and it
will be persistent, it stay on after reboot.

So:

If you use: semanage boolean -m --on virt_use_nfs is same as setsebool
-P virt_use_nfs=1 and result will be:

virt_use_nfs (on , on) Allow virt to use nfs

If you use setsebool virt_use_nfs=1 result will be:

virt_use_nfs (on , off) Allow virt to use nfs


I hope it's clear now.

Lukas.
Post by Ed Greshko
_______________________________________________
--
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.
Ed Greshko
2018-03-13 18:56:01 UTC
Permalink
Post by Lukas Vrabec
Post by Ed Greshko
A while back I needed virtmanager to access an ISO file which resides on an NFS
mount.  So, I enabled virt_use_nfs.
Today I was doing some research to help someone else and I noticed that "semanage
boolean -l" shows.
virt_use_nfs                   (on  ,  on)  Allow virt to use nfs
According to the header of the output the first "on" is the state while the second is
default.  Since I had to enable it I would have thought I would see
virt_use_nfs                   (on  ,  off)  Allow virt to use nfs
Am I missing something?
Hi Ed,
It's because "semanage boolean -m " will modify actual state and also
default value which is important for reboot.
# setsebool virt_use_nfs=1 ; this will turn on mentioned boolean but it
will be off after reboot.
# setsebool -P virt_use_nfs=1 ; will turn on mentioned boolean and it
will be persistent, it stay on after reboot.
If you use: semanage boolean -m --on virt_use_nfs is same as setsebool
virt_use_nfs (on , on) Allow virt to use nfs
virt_use_nfs (on , off) Allow virt to use nfs
I hope it's clear now.
Yes, that clears it up nicely.

Thanks.

Ed
--
Conjecture is just a conclusion based on incomplete information. It isn't a fact.
Loading...