Hi, On Tue, 2004-03-09 at 11:57, Russell Coker wrote: > > That's basically what %config will do in rpm. It's probably the > > simplest default behaviour for things like tunables.te. > > Yes, that will work quite well for tunable.te except when we add a new entry > that defaults to enabled. If we produce a new policy that has > define(`do_whatever') in the default tunable.te then users of the old policy > won't get it. That's true, but they _will_ get log output telling that the new config file has been created as tunables.te.rpmnew, and they can merge it themselves. There's really no straightforward way to get any better automation for it than that, right now, unless we move each tunable to a separate file in a tunables/ directory (and it might well make sense to do that, at least to group related tunables together.) Cheers, Stephen
