From: Joshua Brindle <jbrindle@tresys.com>
To: gyurdiev@redhat.com
Cc: Karl MacMillan <kmacmillan@tresys.com>,
"'Daniel J Walsh'" <dwalsh@redhat.com>,
selinux@tycho.nsa.gov
Subject: Re: Iptables discussion
Date: Fri, 22 Jul 2005 15:19:47 -0400 [thread overview]
Message-ID: <42E146D3.60809@tresys.com> (raw)
In-Reply-To: <1122046798.25951.27.camel@celtics.boston.redhat.com>
Ivan Gyurdiev wrote:
>>>That's why I'm asking for an intermediate representation. My particular
>>>implementation of it may not be very good (suggestions welcome),
>>>but it's certainly better than what's out there - I don't think
>>>passing in policy-dependent integer id's, and exposing internal data
>>>structures will make a successful api.
>>>
>>>
>>>
>>>
>>The module format is an intermediate representation.
>>
>>
>
>No...an intermediate representation on the libsepol level,
>as well as the libsemanage level.
>
>
>
we need to figure out what we need to store before we decide if we need
another policy representation.
>> I don't think
>>anyone is suggesting we expose anything about the policy, the last few
>>days of discussion has been about abstracting this. With respect to the
>>proposed libsemanage API, please let us know what else you need, or
>>better yet add some structs and functions and send an rfc.
>>
>>
>
>Can you please rename the library, so I can send patches against it?
>I tried to do this myself, but you didn't like my patch.
>
>
>
It won't matter since the library doesn't currently match the proposed
API. Probably the best thing would be to write your user and port
management stuff against the new API and see if it actually works.
>>/* Disconnect from the manager given by the handle. If already
>> * disconnected then this function does nothing. Return 0 if
>> * disconnected properly or already disconnected, negative value on
>> * error. */
>>int semanage_disconnect(semanage_handle_t *);
>>
>>/* Deallocate all space associated with a semanage_handle_t, including
>> * the pointer itself. CAUTION: this function does not disconnect
>> * from the manager; be sure that a semanage_disconnect() was
>> * previously called. */
>>void semanage_handle_free(semanage_handle_t *);
>>
>>
>
>Dan asked why the API is assymetric (connect vs disconnect-free),
>but no one has answered this question yet. In addition, I see a
>"CAUTION: don't do this" in free, which makes me wonder
>why this function exists, and is not done inside disconnect.
>
>
>
it doesn't say not to do it, it says not to do it before disconnect. The
reason there is a difference is because you may want to reuse the
handles and we force the caller to initialize them therefore they have
to destroy them.
<snip>
>>/* accessors for mls and role support structs */
>>typedef struct semanage_mls semanage_role_t;
>>typedef struct semanage_role semanage_role_t;
>>
>>
>
>??
>
>
>
??? those aren't directly used, they are for supporting users
>>const char* semanage_mls_get_range(semanage_mls *);
>>const char* semanage_mls_get_level(semanage_mls *);
>>
>>int semanage_mls_set_range(semanage_mls *);
>>int semanage_mls_set_level(semanage_mls *);
>>
>>
>
>Shouldn't the setters take a parameter of
>what to set? You omit those in many places.
>
>
>
yea, my mistake, obviously I was writing this to get the concepts out
and let you see if they actually work for you, hopefully they will :)
>>/* semanage_user management functions */
>>int semanage_user_init(semanage_handle_t **);
>>
>>
>
>You mean semanage_user_t** ?
>
>
>
probably :)
>>int semanage_user_add(semanage_handle_t *, semanage_user_t *userdata);
>>int semanage_user_remove(semanage_handle_t *, semanage_user_t *userdata);
>>int semanage_user_list(semanage_handle_t *, semanage_user_t **users, int *num_users);
>>
>>
>
>There's still no query or a way to modify the user other than delete
>and re-add. This applies to the entire API. Delete and add may be
>acceptable (even though that automatically means two iterations
>in the file case), but no query just seems wrong.
>
>
>
oops, add
semanage_user_change(semanage_handle_t *, semanage_user_t *userdata,
char* key);
it would totally replace the datum, no unioning or anything like that
<snip>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2005-07-22 19:25 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-07-21 17:40 [ libsepol 2/6] Ports Ivan Gyurdiev
2005-07-21 18:04 ` Joshua Brindle
2005-07-21 18:06 ` Ivan Gyurdiev
2005-07-21 18:27 ` Ivan Gyurdiev
2005-07-21 19:35 ` Karl MacMillan
2005-07-21 19:38 ` Ivan Gyurdiev
2005-07-21 20:30 ` Karl MacMillan
2005-07-21 20:47 ` Ivan Gyurdiev
2005-07-21 21:06 ` Joshua Brindle
2005-07-21 21:06 ` Ivan Gyurdiev
2005-07-21 21:15 ` Joshua Brindle
2005-07-21 21:25 ` Ivan Gyurdiev
2005-07-21 23:34 ` Joshua Brindle
2005-07-22 11:53 ` Iptables discussion Ivan Gyurdiev
2005-07-22 12:31 ` Daniel J Walsh
2005-07-22 12:46 ` Karl MacMillan
2005-07-22 13:44 ` Ivan Gyurdiev
2005-07-22 14:19 ` Karl MacMillan
2005-07-22 14:24 ` Ivan Gyurdiev
2005-07-22 15:28 ` Karl MacMillan
2005-07-22 18:18 ` Ivan Gyurdiev
2005-07-22 18:40 ` Karl MacMillan
2005-07-22 19:01 ` Ivan Gyurdiev
2005-07-22 14:42 ` Daniel J Walsh
2005-07-22 15:28 ` Karl MacMillan
2005-07-22 14:51 ` Joshua Brindle
2005-07-22 14:51 ` Joshua Brindle
2005-07-22 15:39 ` Ivan Gyurdiev
2005-07-22 15:57 ` Karl MacMillan
2005-07-22 16:14 ` Ivan Gyurdiev
2005-07-22 16:31 ` Karl MacMillan
2005-07-22 17:59 ` Ivan Gyurdiev
2005-07-22 16:28 ` Ivan Gyurdiev
2005-07-22 17:28 ` Jason Tang
2005-07-22 17:54 ` Ivan Gyurdiev
2005-07-22 18:28 ` Jason Tang
2005-07-22 18:32 ` Ivan Gyurdiev
2005-07-22 19:19 ` Joshua Brindle [this message]
2005-07-22 19:44 ` Ivan Gyurdiev
2005-07-22 19:56 ` Joshua Brindle
2005-07-22 20:18 ` Ivan Gyurdiev
2005-07-22 20:56 ` Ivan Gyurdiev
2005-07-22 15:46 ` Casey Schaufler
2005-07-22 15:54 ` Joshua Brindle
2005-07-22 16:11 ` Frank Mayer
2005-07-22 18:56 ` Casey Schaufler
2005-07-24 5:25 ` James Morris
2005-07-24 15:28 ` Casey Schaufler
2005-07-25 4:24 ` James Morris
2005-07-25 15:37 ` Daniel J Walsh
2005-07-25 18:24 ` Christopher J. PeBenito
2005-07-25 18:28 ` Ivan Gyurdiev
2005-07-25 18:43 ` Ivan Gyurdiev
2005-07-25 18:55 ` Daniel J Walsh
2005-07-25 19:01 ` Joshua Brindle
2005-07-25 19:53 ` Ivan Gyurdiev
2005-07-25 22:42 ` Joshua Brindle
2005-07-26 0:07 ` Ivan Gyurdiev
2005-07-26 0:13 ` Joshua Brindle
2005-07-22 12:37 ` Karl MacMillan
-- strict thread matches above, loose matches on Subject: below --
2005-07-22 14:54 Chad Hanson
2005-07-24 5:08 ` James Morris
2005-07-25 21:00 Chad Hanson
2005-07-25 21:04 Chad Hanson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42E146D3.60809@tresys.com \
--to=jbrindle@tresys.com \
--cc=dwalsh@redhat.com \
--cc=gyurdiev@redhat.com \
--cc=kmacmillan@tresys.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.