From e2707be9e12b09eae4e9835c539a19e2e6727533 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Mon, 21 Mar 2016 11:15:41 +0100 Subject: [PATCH] Enable expand-check in semanage.conf libsepol was fixed before release 2.4 and expand-check=1 doesn't make a big time penalty. On the other hand, it's helpful to make it enabled by default. Resolves: rhbz#1319652 --- semanage.conf | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/semanage.conf b/semanage.conf index bc9d4ac..1dce37b 100644 --- a/semanage.conf +++ b/semanage.conf @@ -36,9 +36,10 @@ module-store = direct # version is necessary. #policy-version = 19 -# expand-check check neverallow rules when executing all semanage commands. -# Large penalty in time if you turn this on. -expand-check=0 +# expand-check check neverallow rules when executing all semanage +# commands. There might be a penalty in execution time if this +# option is enabled. +expand-check = 1 # usepasswd check tells semanage to scan all pass word records for home directories # and setup the labeling correctly. If this is turned off, SELinux will label /home