Stephen Smalley wrote:

>On Thu, 2004-08-05 at 08:30, Stephen Smalley wrote:
>  
>
>>Dan has raised the issue of how to handle policy reloads when using
>>booleans, as a policy reload will reset the boolean values to the
>>compile-time default settings.  We could certainly extend load_policy to
>>also set the booleans based on the same configuration file used at boot
>>time, but that will leave open a window between the policy reload and
>>the setting of the booleans where the active policy will fall back to
>>the compile-time defaults.  That could break running processes or create
>>a window of vulnerability, depending on whether the compile-time
>>defaults are more secure or less secure than the configuration file
>>settings.  We could have the policy Makefile patch the boolean default
>>settings based on the configuration file, so that a policy rebuild would
>>change the compile-time defaults to match the desired settings, but that
>>requires policy sources, which may not be available (e.g. the policy
>>reload may have been triggered by a binary policy update, and the end
>>system may not have policy sources installed).  Thoughts?
>>    
>>
>
>Actually, it would be easy to create a simple utility that patches a
>binary policy to change the boolean default values, so that would be a
>possibility.  
>
>  
>
Here is the current patch I was using for load_policy.  As has been 
stated this is not the ideal situation.
Patching the policy.conf is probably the best solution.   Utilities to 
read booleans probably usefull here.

Dan