tunable and if-else conditional

tunable and if-else conditional

[Stefan Schulze Frielinghaus]

Hi,

reading an older poste (http://www.nsa.gov/selinux/list-archive/0610/ 
thread_body16.cfm) I wonder about the difference between tunable and  
an if-else conditional.

<quote>
Tunable_policy are blocks that will be replaced by a similar language  
feature when it becomes available. Tunables will be similar to  
conditionals, except they will be selected during the policy module  
linking instead of being selectable at runtime.
</quote>

Using the latest stable refpolicy (20070629) the feature has already  
changed? I would guess so because I can change the booleans via  
setsebool at runtime.

Looking at the file "loadable_module.spt" the tunable seems to me  
exact the same like a if-else conditional. But I'm not a M4 guy and  
wanted to make sure. Is this right that a tunable and a if-else  
conditional is the same now?

cheers,
Stefan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: tunable and if-else conditional

[Christopher J. PeBenito]

On Wed, 2007-09-05 at 17:35 +0200, Stefan Schulze Frielinghaus wrote:
> reading an older poste (http://www.nsa.gov/selinux/list-archive/0610/ 
> thread_body16.cfm) I wonder about the difference between tunable and  
> an if-else conditional.
> 
> <quote>
> Tunable_policy are blocks that will be replaced by a similar language  
> feature when it becomes available. Tunables will be similar to  
> conditionals, except they will be selected during the policy module  
> linking instead of being selectable at runtime.
> </quote>
> 
> Using the latest stable refpolicy (20070629) the feature has already  
> changed? I would guess so because I can change the booleans via  
> setsebool at runtime.

No, true tunables require support in the toolchain.  That won't happen
until after the new policy representation is completed.

> Looking at the file "loadable_module.spt" the tunable seems to me  
> exact the same like a if-else conditional. But I'm not a M4 guy and  
> wanted to make sure. Is this right that a tunable and a if-else  
> conditional is the same now?

Tunables are implemented as conditional policy right now.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: tunable and if-else conditional

[Stefan Schulze Frielinghaus]

On 05.09.2007, at 19:21, Christopher J. PeBenito wrote:

> On Wed, 2007-09-05 at 17:35 +0200, Stefan Schulze Frielinghaus wrote:
>> reading an older poste (http://www.nsa.gov/selinux/list-archive/0610/
>> thread_body16.cfm) I wonder about the difference between tunable and
>> an if-else conditional.
>>
>> <quote>
>> Tunable_policy are blocks that will be replaced by a similar language
>> feature when it becomes available. Tunables will be similar to
>> conditionals, except they will be selected during the policy module
>> linking instead of being selectable at runtime.
>> </quote>
>>
>> Using the latest stable refpolicy (20070629) the feature has already
>> changed? I would guess so because I can change the booleans via
>> setsebool at runtime.
>
> No, true tunables require support in the toolchain.  That won't happen
> until after the new policy representation is completed.
>
>> Looking at the file "loadable_module.spt" the tunable seems to me
>> exact the same like a if-else conditional. But I'm not a M4 guy and
>> wanted to make sure. Is this right that a tunable and a if-else
>> conditional is the same now?
>
> Tunables are implemented as conditional policy right now.

So in the end the preferred way of handling booleans is via what?  
Because as already pointed out in the post before all if-else  
statements were replaced via tunables. But the tunables aren't  
supposed to be changed at runtime which booleans should be. Or do I  
miss something?


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: tunable and if-else conditional

[Christopher J. PeBenito]

On Thu, 2007-09-06 at 08:18 +0200, Stefan Schulze Frielinghaus wrote:
> On 05.09.2007, at 19:21, Christopher J. PeBenito wrote:
> 
> > On Wed, 2007-09-05 at 17:35 +0200, Stefan Schulze Frielinghaus wrote:
> >> reading an older poste (http://www.nsa.gov/selinux/list-archive/0610/
> >> thread_body16.cfm) I wonder about the difference between tunable and
> >> an if-else conditional.
> >>
> >> <quote>
> >> Tunable_policy are blocks that will be replaced by a similar language
> >> feature when it becomes available. Tunables will be similar to
> >> conditionals, except they will be selected during the policy module
> >> linking instead of being selectable at runtime.
> >> </quote>
> >>
> >> Using the latest stable refpolicy (20070629) the feature has already
> >> changed? I would guess so because I can change the booleans via
> >> setsebool at runtime.
> >
> > No, true tunables require support in the toolchain.  That won't happen
> > until after the new policy representation is completed.
> >
> >> Looking at the file "loadable_module.spt" the tunable seems to me
> >> exact the same like a if-else conditional. But I'm not a M4 guy and
> >> wanted to make sure. Is this right that a tunable and a if-else
> >> conditional is the same now?
> >
> > Tunables are implemented as conditional policy right now.
> 
> So in the end the preferred way of handling booleans is via what?  
> Because as already pointed out in the post before all if-else  
> statements were replaced via tunables.

No, not all conditionals were replaced with tunables, see
global_booleans and line 98 of modutils.if for an example.

> But the tunables aren't supposed to be changed at runtime which
> booleans should be. Or do I miss something?

If you don't implement them as conditionals, then the only other option
would be m4 ifdefs, then the tunables won't be exposed to the users
since distros don't install source policy anymore.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: tunable and if-else conditional

[Stefan Schulze Frielinghaus]

On 06.09.2007, at 14:39, Christopher J. PeBenito wrote:

> On Thu, 2007-09-06 at 08:18 +0200, Stefan Schulze Frielinghaus wrote:
>> On 05.09.2007, at 19:21, Christopher J. PeBenito wrote:
>>
>>> On Wed, 2007-09-05 at 17:35 +0200, Stefan Schulze Frielinghaus  
>>> wrote:
>>>> reading an older poste (http://www.nsa.gov/selinux/list-archive/ 
>>>> 0610/
>>>> thread_body16.cfm) I wonder about the difference between tunable  
>>>> and
>>>> an if-else conditional.
>>>>
>>>> <quote>
>>>> Tunable_policy are blocks that will be replaced by a similar  
>>>> language
>>>> feature when it becomes available. Tunables will be similar to
>>>> conditionals, except they will be selected during the policy module
>>>> linking instead of being selectable at runtime.
>>>> </quote>
>>>>
>>>> Using the latest stable refpolicy (20070629) the feature has  
>>>> already
>>>> changed? I would guess so because I can change the booleans via
>>>> setsebool at runtime.
>>>
>>> No, true tunables require support in the toolchain.  That won't  
>>> happen
>>> until after the new policy representation is completed.
>>>
>>>> Looking at the file "loadable_module.spt" the tunable seems to me
>>>> exact the same like a if-else conditional. But I'm not a M4 guy and
>>>> wanted to make sure. Is this right that a tunable and a if-else
>>>> conditional is the same now?
>>>
>>> Tunables are implemented as conditional policy right now.
>>
>> So in the end the preferred way of handling booleans is via what?
>> Because as already pointed out in the post before all if-else
>> statements were replaced via tunables.
>
> No, not all conditionals were replaced with tunables, see
> global_booleans and line 98 of modutils.if for an example.
>
>> But the tunables aren't supposed to be changed at runtime which
>> booleans should be. Or do I miss something?
>
> If you don't implement them as conditionals, then the only other  
> option
> would be m4 ifdefs, then the tunables won't be exposed to the users
> since distros don't install source policy anymore.

OK, I will use gen_bool() and the conditionals instead of gen_tun()  
and tunables for creating a boolean which can be changed by the user  
at runtime.

Thanks for clarification

cheers,
Stefan


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.