now, gentoo's selinux profile has switched to reference policy, as we all know there are many configurable options in those te files: gen_tunable. in most cases, these gen_tunable is default off, like allow mount, allow bind to write the zone files (ddns need this). and there is no easy way to enable this in gentoo, so I made some modification to the eclass. I added two variables to the selinux-policy ebuild, DISABLE_TUNABLE and ENABLE_TUNABLE, just add those tunable to these variables, then eclass will do the job. this modification is a easy job than making a patch file. it can be added to selinux-base-policy ebuild, because there are some gen_tunable in base policy module. Reproducible: Always
the patch: --- /usr/portage/eclass/selinux-policy-2.eclass 2007-07-08 00:35:43.000000000 +0800 +++ selinux-policy-2.eclass 2007-11-28 15:07:33.000000000 +0800 @@ -35,6 +35,22 @@ # use .if from headers done + for t in ${ENABLE_TUNABLE}; do + ebegin "Enabling tunable config ${t}" + search="gen_tunable(${t},.*)" + replace="gen_tunable(${t},true)" + sed -i "s|${search}|${replace}|" ${modfiles} > /dev/null + eend $? + done + + for t in ${DISABLE_TUNABLE}; do + ebegin "Disabling tunable config ${t}" + search="gen_tunable(${t},.*)" + replace="gen_tunable(${t},false)" + sed -i "s|${search}|${replace}|" ${modfiles} > /dev/null + eend $? + done + for i in ${POLICY_TYPES}; do mkdir ${S}/${i} cp ${S}/refpolicy/doc/Makefile.example ${S}/${i}/Makefile
Created attachment 137197 [details, diff] patch for the eclass file
Tunables are implemented as booleans, so you can use setsebool to change the setting. Add -P to make it the default setting (otherwise it will reset on reboot).
