Re: [PATCH 2/2] Refactor expansion of avtab

[Karl MacMillan <kmacmillan@mentalrootkit.com>]

Joshua Brindle wrote:
>> From: Karl MacMillan [mailto:kmacmillan@mentalrootkit.com] 
>>
>>     
>> Poorly named function - are neverallows av rules or not? If 
>> they are not the function needs a more generic name. This is 
>> continuing the confusing practice of sometimes calling just 
>> allow and audit rules av rules and sometimes using it to mean 
>> more rule types.
>>
>>     
>
> Have any suggestions? We couldn't think of a really good name either.
>
>   

I vote we start using avrules to mean allow, audit, and neverallow - 
i.e., based on their common syntax. That would argue for the define 
changing in the other patch.

>> This can be in place or out of place (i.e., out can be the 
>> same as base)? A comment describing how this function can be 
>> used is needed, including the fact that the typemap must be 
>> "special" for an in-place expand, correct?
>>
>>     
>
> Either, it is out of place for the current usage and in place for
> setools. Talking about a special typemap is out of context here. Maybe
> more comments are needed. No need to ditch this patch though, we can
> apply some comments on top of it.
>
>   

Why is talking about a specific typemap out of place? Just give the user 
a hint that if they want to do in-place expansion what the typemap will 
be. Where is the real documentation for typemap going to go?

>> Object classes and permissions will never need to be mapped 
>> for an out of place expansion?
>>
>>     

What about this question?

Karl

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.