Boolean conditions alwas get shown as "True" even though they shouldn't

Question

Boolean conditions alwas get shown as "True" even though they shouldn't

sboldt1978 opened this issue 5 years ago · 3 comments

sboldt1978 commented 5 years ago

May be I don't understand the new output format of sesearch4, but I suppose the "True" or "False" after listing the booleans should show if the boolean condition is met or not. But it doesn't show this as expected:

[root@serverb ~]# getsebool httpd_read_user_content
httpd_read_user_content --> off
[root@serverb ~]# sesearch -A -s httpd_t -t user_home_t -p read -c file
allow httpd_t user_home_type:file { getattr ioctl lock open read }; [ httpd_read_user_content ]:True
[root@serverb ~]# sesearch --version
4.2.2

This is on RHEL 8.1 with current updates

Answer 1 · 2020-01-06T22:26:00.000Z

...just tested with current git version, but the output remains the same.

Answer 2 · 2020-01-07T17:11:42.000Z

This is not the value of the Boolean; this indicates the rule is in the "if" block (vs. "else" block) of the conditional. The rule will be enabled if the expression is true.

This is working as intended.

Answer 3 · 2020-01-08T00:39:59.000Z

Well, the 3.x versions were able to show if a rule is enabled or disabled when running with the -C parameter. There was an "ET" or "DT" in front of the rule showing if the conditions (consisiting of boolenans) are met. How can I now see if a rule is enabled or not? I assumed that the trailing "True" or "False" would show if the rule is currently enabled, but I understand they're not. So please tell me how to check if "ET" or "DT" with V4.x

Thanks in advance