rpms/pam_ssh/F-8 pam_ssh.te,NONE,1.1 pam_ssh.spec,1.13,1.14
Martin Ebourne
lists at ebourne.me.uk
Tue Nov 27 22:12:22 UTC 2007
On Tue, 27 Nov 2007 17:05:54 -0500, Steve Grubb wrote:
> On Tuesday 27 November 2007 16:27:25 Martin Ebourne wrote:
>> In the absence of an ability for selinux to know if pam_ssh is
>> configured then at least having the policy in the module would only
>> activate it if pam_ssh was installed.
>
> This is why we have selinux booleans. Its to swing permissions in and
> out depending on what's installed.
Booleans should be for policy decisions the administrator needs to make.
(eg. allow users to run servers that listen on tcp ports)
Having a boolean to enable use of a package you've already installed is
the wrong use.
Cheers,
Martin.
More information about the fedora-devel-list
mailing list