On Thu, 2008-01-24 at 14:45 -0500, Stephen Smalley wrote: > I'd still like to deprecate setlocaldefs support and preservebools > support in libselinux in the trunk (i.e. libselinux 2.x). I posted > patches for completely removing such support a long while ago, but those > particular patches would require an ABI change (as they include API > removal) and thus I held off on them, but we could also take the more > intermediate approach of just turning off the functionality by default > in libselinux without disturbing the ABI. > > As a refresher, setlocaldefs support refers to the support for pulling > in local boolean and user definitions at policy load time w/o managed > policy, i.e. the approach used in RHEL4 and Fedora 3 and 4 (but not in > Fedora 5 and later or RHEL5). By default, libselinux still checks for > such definitions and patches them into the in-memory policy at load time > unless /etc/selinux/config has SETLOCALDEFS=0. I'd like to make > SETLOCALDEFS=0 the default in the trunk and require SETLOCALDEFS=1 > in /etc/selinux/config to enable the old behavior. > > preservebools support refers to the support for preserving active > boolean values across a policy reload by having libselinux patch the > active values into the in-memory policy at policy load time. As of > Linux 2.6.22 and later, this is now handled automatically by the kernel > as part of the policy reload and isn't needed in userspace. I'd like to > also disable this by default in libselinux and perhaps allow it to be > enabled via some /etc/selinux/config setting. I should note that the latter change would affect use of newer libselinux on RHEL5 (we'd have to add the new setting to /etc/selinux/config for the legacy behavior) or Debian etch. Whereas the former change only affects RHEL4. > > Thoughts? > -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
