Re: policy sources disappearing?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Ivan Gyurdiev wrote:

Gene Czarcinski wrote:
IIRC there was (at one time) a check box in system-config-security to force autorelabel at the next reboot. Since it is now not there I looked through the rpm changelog to see why it was dropped ... I did not find an entry for autorelabel but I did find:
I don't know about this, but you can force an autorelabel by running: touch /.autorelabel.
I talked to the maintainer and he removed it because of the first boot screen. I have asked him to put it back for the case when the app is run outside of first boot. 
- Remove support for modifying tunables since policy source will be
  disappearing in the future (#160896).
I have browsed/searched the various selinux mailing lists and not found anything which discussed this. Can someone expand one what is going on and how policy changes will be made in the future?
I'm not aware of plans to remove the policy sources. You shouldn't need them to use selinux, however. Tunables are for making compile-time changes to policy, while booleans are for making runtime changes to policy. I suspect what happened here is that tunable support got dropped, but booleans will be kept. Tunables are things the package distributor might want to control, while booleans are for changes by the end user.
We will be removing source when we go to ref policy. Tunables are a choice of the distro, while booleans are to be configured by the admin. We are working on an infrastructure to allow users to load their own policy modules to allow local customization, the same way that third parties would load a policy module. We want to get to the point where policysources are handled the same way as kernel sources. IE You can use them as reference, but you do not need them to build policy modules or perform local customizations. We are planning on allowing admins to configure users, booleans, ports and ethernet devices outside of policy.
Is this similar to the kernel source situation where we will need to install the src rpm for selinux-policy to get at the sources?
Sources are already in a separate package, and I think they would be required if you wanted to modify tunables - not the case for booleans. 

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list



--


--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux