On 08/23/11 09:43, Daniel J Walsh wrote: > Eliminating booleans would be great and replacing them with tunables, > but the tunables must be discoverable, and it must be easy for the > administrator to discover the "tunable" and turn it on. > > Currently audit2allow/audit2why turns on all booleans in a policy and > checks to see if an AVC would be allowed with any boolean. Then it > prints out the booleans that would have allowed the access. We use > this functionality within setroubleshoot. This is critical to making > selinux policy usable. > > User wants to allow ftp to access homedirs, he sets up ftp and SELinux > blocks the access. Setroubleshoot comes up and says turn on the > ftp_home_dir boolean to allow this access. > > > If we can not duplicate this functionality then I NAK the change from > booleans to tunables. Seems very easy to reproduce, as long as you turn on save-linked in semanage.conf. The linked policy would have all the tunable information, right Harry? -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
