Re: [v0 PATCH 6/6] Skip tunable identifier and cond_node_t in expansion.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



HarryCiao wrote:
<snip>
> By default this handle-tunable option for semanage.conf could be set to 
> "discard", if audit2allow/audit2why are needed to debug AVC denied messages, we 
> could set this option to "preserve" and rebuild and reload policy.X. When the 
> related tunable is found we could toggle its default value to true and rebuild 
> policy.X with the option back to "discard" again.
> 
> This way I think Dan's worries would be addressed. Right?

I would say we could use the policycaps bitmap for this but since we already
have to bump the module version to support the extra field there is no reason we
can't just add flag.

> 
> BTW, Is this the correct or best way to pass configuration options on to link 
> process? I have created two patches for above logic(see attached), however I am 
> pretty new to semanage and run into syntax error while parsing semanage.conf. 
> Chris, could you please kindly take a look at what has been wrong in my 0007 
> patch? Many thanks!
> 


Your libsemanage would need to have the option added in order to pass that in.
It could be passed in via the libsepol handle. See how set_disable_dontaudit
works for an example.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.


[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux