On 07/02/2009 08:33 AM, Stephen Smalley wrote:
> On Wed, 2009-07-01 at 22:08 -0400, Christopher Pardy wrote:
>    
>> This is a heavily modified version of the patch I recently submitted. It
>> provides 3 new functions: in libsepol sepol_get_disable_dontaudit; in
>> libsemanage semanage_get_disable_dontaudit; in libselinux
>> is_dontaudit_disabled. It also fixes issues with the previous patch.
>>
>> The justification for this patch is the same as the one I posted
>> earlier. Simply, there is currently no way to know if dontaudit rules
>> are  enabled. Additionally once don't audit rules are turned they turn
>> themselves off after policy rebuild (is that the desired functionality?)
>>      
>
> semodule -DB should still strip dontaudit rules from the policy, and
> semodule -B should still restore them.  The only thing that should
> change IIUC is that semodule -DB should persist across any other
> semodule or semanage operations other than semodule -B.
>
>    
See Dan Walsh's patch to policycoreutils for this functionality. I need 
the functionality I'm creating with this persistence in some gui work 
I'm doing and I believe it's much more intuitive if things stay turned 
off till they're turned back on.
>> This patch provides  a way to check on both the current and pending
>> state of the dontaudit rules and it maintains this state between policy
>> rebuilds.
>>
>> Signed-off-by Christopher Pardy<cpardy@redhat.com>
>>
>> --
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>> the words "unsubscribe selinux" without quotes as the message.
>>