Joshua Brindle 写道: > HarryCiao wrote: > <snip> > >> By default this handle-tunable option for semanage.conf could be set to >> "discard", if audit2allow/audit2why are needed to debug AVC denied messages, we >> could set this option to "preserve" and rebuild and reload policy.X. When the >> related tunable is found we could toggle its default value to true and rebuild >> policy.X with the option back to "discard" again. >> >> This way I think Dan's worries would be addressed. Right? >> > > I would say we could use the policycaps bitmap for this but since we already > have to bump the module version to support the extra field there is no reason we > can't just add flag. > > >> BTW, Is this the correct or best way to pass configuration options on to link >> process? I have created two patches for above logic(see attached), however I am >> pretty new to semanage and run into syntax error while parsing semanage.conf. >> Chris, could you please kindly take a look at what has been wrong in my 0007 >> patch? Many thanks! >> >> > > > Your libsemanage would need to have the option added in order to pass that in. > It could be passed in via the libsepol handle. See how set_disable_dontaudit > works for an example. > > Hi Joshua, Ok, I see your point, I would learn how disable_dontaudit is passed via libsepol handle and follow the same path. Thanks, Harry -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
