-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At the end of last year I was complaining about audit2allow and the SELinux
tools chain not being able to give better information about what constraint is
being violated, so a admin or policy writer could have a clue on how to fix
the problem.

A fairly common problem is domains trying to change the role or user component
of the label.  Or in the MCS and MLS world, what attribute do I need to add to
my policy to allow the AVC.

Richard Haines wrote some nice patches to add the constraint information to
the kernel and to change user space to reveal this information.

Sadly we thought these discussions had happened on the list, but I guess we
had taken it private.  Here is the userspace patch to reveal this information.

The kernel team will be posting the kernel patch hopefully soon.  We believe
that even though the kernel does not need the additional information about the
constraint, the limited space required to carry this information makes sense.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlJpIHwACgkQrlYvE4MpobM6vgCg3IoQr5tlM8NVgT/pId2QpKrz
E5gAoInxyCNAOQuXA1M6Z1YX36U9y31u
=3Ern
-----END PGP SIGNATURE-----