From: Ivan Gyurdiev <ivg2@cornell.edu>
To: Ivan Gyurdiev <ivg2@cornell.edu>
Cc: Stephen Smalley <sds@tycho.nsa.gov>,
selinux@tycho.nsa.gov, Joshua Brindle <jbrindle@tresys.com>
Subject: Re: Loading things into policy
Date: Wed, 19 Oct 2005 14:28:42 -0400 [thread overview]
Message-ID: <4356905A.7010703@cornell.edu> (raw)
In-Reply-To: <43568C6E.5040106@cornell.edu>
> Now, you could say you want add(), modify(), and set() to work as I've
> described above with respect to policy, and not the local file... but
> that's not the way I've been thinking about it so far. That's a
> different kind of design - it would need to do an exists() test in
> both local files, and policy, before it took any action.
Actually that's fairly easy to implement, and I'd do it without caring
what the backend is for various things (I can do this, because of the
abstractions, which everyone dislikes so much).
Currently I am planning two separate interfaces - one for local objects,
and one for in-policy objects. To implement an interface that integrates
those two, I would:
1) suffix the local objects functions with local (which is probably a
good idea anyway, since their names are a bit misleading).
2) write new functions that are written on top of the local/in-policy
interfaces (not implementations).
They'd do a query in both databases for queries. For modifications,
they'd do exist() test in both databases, and add stuff only in the
local files database.
...at this point Joshua's argument about why adding ports based on
existence of other ports in global policy is bad...starts to make some
sense to me. I did not understand his argument before, because it didn't
make sense when you were checking existence in the local database only,
and had a default handler to use on commit() for the in-policy objects.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2005-10-19 18:28 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-10-19 0:33 Loading things into policy Ivan Gyurdiev
2005-10-19 0:37 ` Ivan Gyurdiev
2005-10-19 13:45 ` Joshua Brindle
2005-10-19 16:31 ` Ivan Gyurdiev
2005-10-19 17:36 ` Stephen Smalley
2005-10-19 17:20 ` Stephen Smalley
2005-10-19 17:31 ` Stephen Smalley
2005-10-19 17:51 ` Stephen Smalley
2005-10-19 18:11 ` Ivan Gyurdiev
2005-10-19 18:13 ` Ron Kuris
2005-10-19 18:20 ` Stephen Smalley
2005-10-19 18:31 ` Ivan Gyurdiev
2005-10-19 18:28 ` Ivan Gyurdiev [this message]
2005-10-19 19:12 ` Ivan Gyurdiev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4356905A.7010703@cornell.edu \
--to=ivg2@cornell.edu \
--cc=jbrindle@tresys.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.