Stephen Smalley wrote:
>> My preference is filling up the undefined access vectores with
>> policydb.allow_unknown. It seems to me quite natural.
> 
> I believe that is what the kernel does during policy load, by defining
> the policydb->undefined_perms[] array.

Oops, I misread the kernel code.

>> Userspace object managers also have same issue.
>> Now it's unclear for me what is the preferable behavior.
>> For example, how should it handle the db_database:{superuser}
>> on the older security policy?

It is useful for userspace object manager, if libselinux has an
interface something like: int security_deny_unknown(void);

This interface can suggest applications preferable behavior when
string_to_security_class() or string_to_av_perm() returns invalid
value which means the security policy does not define required
ones.

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>