HarryCiao wrote: <snip> > By default this handle-tunable option for semanage.conf could be set to > "discard", if audit2allow/audit2why are needed to debug AVC denied messages, we > could set this option to "preserve" and rebuild and reload policy.X. When the > related tunable is found we could toggle its default value to true and rebuild > policy.X with the option back to "discard" again. > > This way I think Dan's worries would be addressed. Right? I would say we could use the policycaps bitmap for this but since we already have to bump the module version to support the extra field there is no reason we can't just add flag. > > BTW, Is this the correct or best way to pass configuration options on to link > process? I have created two patches for above logic(see attached), however I am > pretty new to semanage and run into syntax error while parsing semanage.conf. > Chris, could you please kindly take a look at what has been wrong in my 0007 > patch? Many thanks! > Your libsemanage would need to have the option added in order to pass that in. It could be passed in via the libsepol handle. See how set_disable_dontaudit works for an example. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
