On 08/26/11 09:06, Christopher J. PeBenito wrote: > On 08/26/11 08:59, Daniel J Walsh wrote: >> I agree, I would like to take the patch to make tunables real, but we >> need to have a similar level of diagnosis capability to what we have now. >> >> The admin needs to know what the tunables are and needs to be able to >> take an AVC and see if any tunable/boolean would allow the AVC. >> >> If we had this, I would be racing towards the tunable. >> >> I see this as two steps. >> >> 1. Implement what we have now in booleans in tunables to shrink the >> size of policy. >> 2. Allow policy writers to define rules within tunables that is >> currently not available in booleans. >> - Type Definitions >> - Assigning attributes > > I would go farther than that. I think it should be any statement that > is allowed in an optional block. If I can get the RBAC stuff in there, > then I can get rid of the DIRECT_INITRC build option, which exists due > to the role_transition statement in the init_run_daemon() interface. By "get rid of" I mean "convert to tunable". -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
