Darrel Goeddel wrote:
> Joshua Brindle wrote:
> I have only tried this with our mls policy currently - I have not tried 
> this with a policy generated from CVS using the mlsconvert target.  The 
> patch does modify the mlsconvert target to fit with the new processing 
> (no spaces around the '.') - I will test that tomorrow.  If anyone else 
> tests this first please let me know.  I will be banging on this tomorrow 
> to make sure all everything behaves sanely.
> 
> I am still testing, and am open to suggestions...  I'll let everyone 
> know when I am satisfied with it.
> 

Here is a version that I am happy with.  There were only a few minor fixes from
the past patch.  As before, this patch is relative to Joshua's
hierarchy-backport patch, and it should be applied when that patch is applied to
keep mls processing working in the policy compiler.  I haven't really looked
over Joshua's patch with a fine tooth comb, but it sure has been working nice
for me.  Anybody see anything wrong with the mls patch (or suggestions)?

There is a slightly modified behavior with this patch.  Previously, if you
specified a category that did not exist (or was not allowed to be associated
with the specified sensitivity) in a context or rule with mls portions, the
compiler would issue a warning and keep on chugging.  This generated a perfectly
nice policy, but you may not be getting what you wanted due to a typo or
misconfiguration because you missed a warning.  The compiler now treats these
circumstances as errors just as if you tried to use a type that does not exist
in an allow rule.

-- 

Darrel