-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/24/2011 01:54 PM, Joshua Brindle wrote: > Daniel J Walsh wrote: >> Eliminating booleans would be great and replacing them with >> tunables, but the tunables must be discoverable, and it must be >> easy for the administrator to discover the "tunable" and turn it >> on. >> >> Currently audit2allow/audit2why turns on all booleans in a policy >> and checks to see if an AVC would be allowed with any boolean. >> Then it prints out the booleans that would have allowed the >> access. We use this functionality within setroubleshoot. This >> is critical to making selinux policy usable. >> >> User wants to allow ftp to access homedirs, he sets up ftp and >> SELinux blocks the access. Setroubleshoot comes up and says turn >> on the ftp_home_dir boolean to allow this access. >> >> >> If we can not duplicate this functionality then I NAK the change >> from booleans to tunables. > > You could actually force a downgrade to a pre-tunable format and > use that policy to do the setroubleshoot lookups. Since the policy > is already linked/expanded and just needs to be written out twice > it wouldn't add much time to policy building (granted that adding > _any_ time to policy building is adding too much...) I might not have explained it correctly, I really meant the policy would have to toggle each tunable/boolean at a time and see if the AVC was allowed. Recompiling the policy for each tunable/boolean change would be not be supportable for Time and CPU reasons. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5VXg8ACgkQrlYvE4MpobOtmACgmlsz2hzqglhb/P0CN/ubVoqp 4kwAnjykI9RWDmIQMwYcuwDDRBiMUjnv =BTix -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
