-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Eliminating booleans would be great and replacing them with tunables, but the tunables must be discoverable, and it must be easy for the administrator to discover the "tunable" and turn it on. Currently audit2allow/audit2why turns on all booleans in a policy and checks to see if an AVC would be allowed with any boolean. Then it prints out the booleans that would have allowed the access. We use this functionality within setroubleshoot. This is critical to making selinux policy usable. User wants to allow ftp to access homedirs, he sets up ftp and SELinux blocks the access. Setroubleshoot comes up and says turn on the ftp_home_dir boolean to allow this access. If we can not duplicate this functionality then I NAK the change from booleans to tunables. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5TrowACgkQrlYvE4MpobPNxgCfZjsoX+jBRoIdG9IT+MfsHmn7 EjwAoItrrawS+hrhwyKc9pYNq+mSPJfF =Y4VF -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
