From: Sebastien Buisson <sbuisson.ddn@gmail.com>
To: Paul Moore <paul@paul-moore.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>,
James Morris <james.l.morris@oracle.com>,
linux-security-module@vger.kernel.org,
Sebastien Buisson <sbuisson@ddn.com>,
linux-kernel@vger.kernel.org, selinux@tycho.nsa.gov
Subject: Re: [PATCH v6 1/2] selinux: add brief info to policydb
Date: Wed, 24 May 2017 17:26:20 +0200 [thread overview]
Message-ID: <CAPkE-bXeTJhD+CXFVpzBGWuAvsddTX+6gkRrmqZE69yu2Vwrtg@mail.gmail.com> (raw)
In-Reply-To: <CAHC9VhTBSfNO+st9S+wCvy5KQVxQ1U1CBJN1Sec9Jh=pb6VT3A@mail.gmail.com>
2017-05-23 21:11 GMT+02:00 Paul Moore <paul@paul-moore.com>:
> On Tue, May 23, 2017 at 12:29 PM, Sebastien Buisson
> <sbuisson.ddn@gmail.com> wrote:
>> Another way could be to add another hook to check policy brief info
>> validity. It would take a string as an input parameter, and return 0
>> if it matches the current policy. So Lustre client code would
>> systematically call this hook, and only call security_policydb_brief()
>> when the policy has changed, to store the current value internally.
>
> I'm not sure I like this approach as much as the one above, for a
> variety of reasons. Is this option more desirable from a Lustre point
> of view?
It is true that now that the notification code is present in the
selinux/next branch, it is worth using it. I was thinking, but I may
be wrong, that future inclusion of this series of patches in some
distributions' kernels like CentOS or RedHat would be easier if it did
not have dependencies on other patches. This is why I thought about an
alternative solution.
Technically speaking, the solution based on notifications can fit the
Lustre needs, letting Lustre maintain its own sequence number as you
suggest.
Sebastien.
WARNING: multiple messages have this Message-ID (diff)
From: sbuisson.ddn@gmail.com (Sebastien Buisson)
To: linux-security-module@vger.kernel.org
Subject: [PATCH v6 1/2] selinux: add brief info to policydb
Date: Wed, 24 May 2017 17:26:20 +0200 [thread overview]
Message-ID: <CAPkE-bXeTJhD+CXFVpzBGWuAvsddTX+6gkRrmqZE69yu2Vwrtg@mail.gmail.com> (raw)
In-Reply-To: <CAHC9VhTBSfNO+st9S+wCvy5KQVxQ1U1CBJN1Sec9Jh=pb6VT3A@mail.gmail.com>
2017-05-23 21:11 GMT+02:00 Paul Moore <paul@paul-moore.com>:
> On Tue, May 23, 2017 at 12:29 PM, Sebastien Buisson
> <sbuisson.ddn@gmail.com> wrote:
>> Another way could be to add another hook to check policy brief info
>> validity. It would take a string as an input parameter, and return 0
>> if it matches the current policy. So Lustre client code would
>> systematically call this hook, and only call security_policydb_brief()
>> when the policy has changed, to store the current value internally.
>
> I'm not sure I like this approach as much as the one above, for a
> variety of reasons. Is this option more desirable from a Lustre point
> of view?
It is true that now that the notification code is present in the
selinux/next branch, it is worth using it. I was thinking, but I may
be wrong, that future inclusion of this series of patches in some
distributions' kernels like CentOS or RedHat would be easier if it did
not have dependencies on other patches. This is why I thought about an
alternative solution.
Technically speaking, the solution based on notifications can fit the
Lustre needs, letting Lustre maintain its own sequence number as you
suggest.
Sebastien.
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2017-05-24 15:27 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-17 17:09 [PATCH v6 1/2] selinux: add brief info to policydb Sebastien Buisson
2017-05-17 17:09 ` Sebastien Buisson
2017-05-17 17:09 ` [PATCH v6 2/2] selinux: expose policy brief via selinuxfs Sebastien Buisson
2017-05-17 17:09 ` Sebastien Buisson
2017-05-17 18:30 ` [PATCH v6 1/2] selinux: add brief info to policydb Stephen Smalley
2017-05-17 18:30 ` Stephen Smalley
2017-05-17 19:08 ` William Roberts
2017-05-17 19:08 ` William Roberts
2017-05-17 22:19 ` Paul Moore
2017-05-17 22:19 ` Paul Moore
2017-05-18 14:01 ` Stephen Smalley
2017-05-18 14:01 ` Stephen Smalley
2017-05-18 15:07 ` Stephen Smalley
2017-05-18 15:07 ` Stephen Smalley
2017-05-18 21:49 ` Paul Moore
2017-05-18 21:49 ` Paul Moore
2017-05-23 16:29 ` Sebastien Buisson
2017-05-23 16:29 ` Sebastien Buisson
2017-05-23 19:11 ` Paul Moore
2017-05-23 19:11 ` Paul Moore
2017-05-24 15:26 ` Sebastien Buisson [this message]
2017-05-24 15:26 ` Sebastien Buisson
2017-05-23 19:53 ` Stephen Smalley
2017-05-23 19:53 ` Stephen Smalley
2017-05-24 15:52 ` Sebastien Buisson
2017-05-24 15:52 ` Sebastien Buisson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAPkE-bXeTJhD+CXFVpzBGWuAvsddTX+6gkRrmqZE69yu2Vwrtg@mail.gmail.com \
--to=sbuisson.ddn@gmail.com \
--cc=james.l.morris@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=sbuisson@ddn.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.