From: Russell Coker <russell@coker.com.au>
To: Daniel J Walsh <dwalsh@redhat.com>, SELinux <selinux@tycho.nsa.gov>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Subject: Re: checkpolicy is broken (which is not)
Date: Sat, 6 Aug 2011 01:30:49 +1000 [thread overview]
Message-ID: <201108060130.49464.russell@coker.com.au> (raw)
In-Reply-To: <4E3C0152.7000105@redhat.com>
On Sat, 6 Aug 2011, Daniel J Walsh <dwalsh@redhat.com> wrote:
> > So are you saying that you are fine with a newer checkpolicy not
> > accepting previously valid policy modules? Such that someone who
> > wants to upgrade checkpolicy in an existing distribution release
> > (e.g. RHEL6) can only do so if they also upgrade/modify their
> > policy?
>
> This is a theoretical about something we would never do. RHEL Releases
> are stable and we don't update tool chains, just bug fix. Maybe third
> parties would and then it would be up 2 them to fix their policies.
For Debian I want to provide forwards and backwards compatibility as much as
possible. Even in situations where I won't support a combination of policy
and user-space I would like it to not be too difficult for people who want to
do different things (as some RHEL and CentOS users are apparently doing).
I think that the ideal situation for a Debian upgrade (which can and usually
is done in stages unlike a RHEL upgrade) is to support either the old policy
with new user-space or the new policy with the old user-space. Ideally this
would also include the ability to rebuild the policy packages from source.
In regard to the "role httpd_t types httpd_t;" corner case, aren't there a
heap of other corner cases where someone can accidentally write policy that
doesn't do what they expect?
What about the macros for things like r_file_perms? How long are we going to
keep that around? We've already had a couple of releases with the new
version.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2011-08-05 15:30 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <4E3AEA75.3090602@redhat.com>
[not found] ` <4E3B3D39.4020700@windriver.com>
2011-08-05 1:15 ` checkpolicy is broken (which is not) Harry Ciao
2011-08-05 2:29 ` Eric Paris
2011-08-05 2:29 ` [refpolicy] " Eric Paris
2011-08-05 4:19 ` Harry Ciao
2011-08-05 12:56 ` Stephen Smalley
2011-08-05 12:59 ` Daniel J Walsh
2011-08-05 13:27 ` Stephen Smalley
2011-08-05 14:42 ` Daniel J Walsh
2011-08-05 15:30 ` Russell Coker [this message]
2011-08-05 16:20 ` Stephen Smalley
2011-08-08 6:41 ` HarryCiao
2011-08-08 12:01 ` Stephen Smalley
2011-08-05 15:45 ` Joshua Brindle
2011-08-08 5:38 ` Harry Ciao
2011-08-05 16:58 ` James Carter
2011-08-05 17:23 ` Eric Paris
2011-08-07 4:43 ` Joshua Brindle
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201108060130.49464.russell@coker.com.au \
--to=russell@coker.com.au \
--cc=dwalsh@redhat.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.