Binary policy modules
Mike Hearn
mike at plan99.net
Thu Oct 13 13:55:46 UTC 2005
On Wed, 12 Oct 2005 15:37:35 -0400, Joshua Brindle wrote:
> The format is versioned the same way the kernel binary format is, so any
> changes to the format use a different version number, and backward
> compatbility is retained.
That's good, but it's not what I asked. What are the binary compatibility
commitments you guys are making? Is it expected that the format will
change in future? Was it designed to be extendable? Is there some kind of
internal chunking system so new data can be added in a way that older
versions of SELinux will ignore?
> only as neutral as policies are, which isn't all that neutral right now.
Hmm, that sucks. For very simple policy like "this process can do XYZ"
shouldn't it be independent of targeted vs strict/fedora vs gentoo?
Are the capability names actually variable between distributions?
> Hopefully this will change when reference policy is used by everyone
> and optional tunables are built in to the language.
OK, I'm glad there's a plan for this.
> you might look at this thread:
> http://marc.theaimsgroup.com/?l=selinux&m=112871525005860&w=2 for more
> information. Particularly the justification for building seperate packages
> for policy and the application.
OK. This doesn't affect autopackage so much as it's meant for third party
packages, and therefore developers are expected to define their own policy
which would be independent of strict/targeted. I question the solution
given for RPM - why not simply fix RPM so it loads policy before
installing files?
thanks -mike
More information about the selinux
mailing list