On Fri, 2005-11-04 at 11:08 -0500, Daniel J Walsh wrote:
> > BTW, the new setsebool presumes a system that is "managed" via
> > libsemanage and already has its policy in the sandbox, so it will break
> > if used on a system that hasn't been converted to that model. Do we
> > care? Do we need to support the old behavior (direct manipulation of
> > the installed booleans.local file via libselinux) as a fallback on a
> > non-managed system?
> >
> >
> Yes I think we need to maintain the previous setsebool, otherwise we
> will need to tie. policycoreutils to policy version.

Then the options would seem to be:
1) Have libsemanage internally detect whether the sandbox has been initialized, and if not, fall back to calling the libselinux function to manipulate booleans.local, or
2) Have libsemanage provide an interface (is_semanage_enabled?) to allow setsebool to detect whether the system is "managed" via libsemanage (i.e. has the sandbox been initialized via prior semodule -b), and have setsebool use that interface and fall back to calling the libselinux function if it is not enabled.

Note that libsemanage (and thus semanage.conf) will be present on the system regardless of whether or not the system is "managed" using it since policycoreutils depends on it now.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.