On 09/28/2012 03:18 PM, Eric Paris wrote:
What do others think about this? Should we cause -a to act like -m or
should it abort? Should we force the -a -> -m logic up to the caller?
I guess I'm fine with either. Is semanage -a enough like semodule -i
and -m like -u that this would actually be expected behavior?
I'm inclined to think it should be the other way around, that is, -m
should act like -a.
If you create a new rule using semanage -a that differs in multiple but
potentially subtle ways from an existing entry you are unaware of, the
result may not be at all what you wanted; in that case, the user should
be warned that the record already exists. Maybe a compromise, to improve
usability, would be to test for single vs multiple changes before
throwing an error.
/Harry
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
