We have a problem in  the way we are handling booleans in FC3/RHEL4.  
Basically we are allowing the user to edit the booleans
file either by hand or by using setsebool -P.  One problem is that if we 
want to override the default boolean value in policy with the booleans file.
We can  not because selinux-policy-* has booleans marked as 
config(noreplace).  Otherwise the user would loose his settings.  Second 
problem is that setsebool allows users to customize booleans and as an 
option make them permanent.  The way it makes them pemanant is it takes 
the values
that are currently running in the kernel and rewrites the boolean file.  
This brings up the following bug

 > setsebool allow_ypbind=0
 > setsebool -P squid_disable_trans=1
Ends up with a booleans file containing
allow_ypbind=0
squid_disable_trans=1

Which is probably not what the user wanted.

So this patch changes the selinux handling of booleans.  First it 
introduces a new file booleans.local which will contain the users custom 
boolean settings.  booleans will be changes to a config file so that it 
will be overwritten by rpm on upgrade.  security_load_booleans now reads 
booleans and booleans.local to setup boolean values.  setsebool now only 
writes the changed values to booleans.local.

Ideas?

Dan

--