Re: [PATCH v4 2/2] selinux: generate flask headers during kernel build

[Paul Moore <paul.moore@hp.com>]

On Thursday 01 October 2009 08:32:40 am Stephen Smalley wrote:
> On Thu, 2009-10-01 at 07:46 +1000, James Morris wrote:
> > On Wed, 30 Sep 2009, Stephen Smalley wrote:
> > > Does anyone think we still need to support policy versions <
> > > POLICYDB_VERSION_NLCLASS (18)?  If not, then we can just drop the
> > > dynamic remapping of netlink classes in the security server:
> > >         if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS)
> > >                 if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET &&
> > >                     tclass <= SECCLASS_NETLINK_DNRT_SOCKET)
> > >                         tclass = SECCLASS_NETLINK_SOCKET;
> > >
> > > I think RHEL4 shipped with policy.18.
> >
> > Was any distro shipped with a lower policy version?  If not, then I think
> > it should be ok.
> 
> policy.18 was first supported by Linux 2.6.8.
> I think the only distro to ship with SELinux enabled and Linux < 2.6.8
> would have been Fedora Core 2, which is long since EOL'd and even akpm
> doesn't run it anymore.  Not sure about Hardened Gentoo - Chris and/or
> Joshua?  Debian selinux packages predated Fedora, of course, but weren't
> mainstreamed into Debian until much later.
> 
> I didn't yet remove this logic in my patches, but will do so if there
> are no objections.

I'm sure you've already thought about this, but if you do remove the code for 
policy versions below 18 I would recommend doing so in a standalone patch - 
that way if somebody does end up with a broken system the bisect will only 
drag down the policy.18 patch and not the rest of these patches (which are 
going to be a very nice addition).

-- 
paul moore
linux @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.