Re: [PATCH 0/2] [PATCH 0/2] Updated NetLabel/secid-reconciliation bits and a bugfix

[Paul Moore <paul.moore@hp.com>]

Venkat Yekkirala wrote:
>>>As for the rest of the network labeling, please work 
>>
>>together with Venkat 
>>
>>>and the SELinux developers on a final patchset which meets 
>>
>>all of the 
>>
>>>design goals and has been tested, with policy which has been merged 
>>>upstream and is available via Fedora devel.  Please keep 
>>
>>the discussion 
>>
>>>going, but ensure that the final patchset for review and merge 
>>>consideration is a complete set against the current git 
>>
>>kernel coming from 
>>
>>>one person.
>>
>>I'm trying :)  When I posted the NetLabel secid support patch 
>>last week
>>I asked Venkat if he could merge it with the main secid 
>>patchset (due to
>>size and dependencies that seemed like the most reasonable course of
>>action).  For reasons I'm not aware of he chose not to.
> 
> 
> FYI- I am no NetLabel expert, and the pathset I sent out that day included
> the peersid changes. And since you were going to have to post a patch for
> that
> again, I thought it best you ported and reposted the entire patch again.

I'm not talking about the peer_sid changes, although I'm glad they are
part of the secid patchset - thank you.  I'm talking about the patch I
keep reposting to include NetLabel is the secid reconciliation path.

There was a secid patchset posted on Thursday (9/28) night, I posted the
a patch on Friday (9/29) to provide NetLabel support.

There was a secid patchset posted on Sunday (10/1) night, I respun the
NetLabel support patch on Monday (10/2) - "v2".

I respun the NetLabel support patch to take into account Stephen
Smalley's comments on Monday (10/2) - "v3".

There was a small update to the secid patches yesterday (10/3) so I
respun the NetLabel support patch (10/4) - "v4".

>> As a result I
>>keep posting updated patches backed against Venkat's latest and
>>incorporating the latest feedback.
>  
> And let's keep this going like this on the selinux list. When all the
> testing is done and selinux ok's the patchsets, I will combine them
> and send them onto netdev. How does that sound?

Yes, the discussion is a good one I don't want to disrupt that.

I would prefer if all of the patches were in one patchset, pushed out by
one person as that would save me from having to respin my patch if all I
need to do is update it for the latest secid patches.  I think that has
value so people can review/test/etc all of the parts as one coherent
patchset.  However, it's ultimately up to you as you are the one working
on the main secid patchset.

>>Venkat, can you please merge the latest my latest NetLabel 
>>secid support
>>patch in with your next release?
>  
> I would, but it currently is premature. As James says, let's
> get policy done, the design proven, and tested and then we will
> go to netdev with one patchset.

I think it's easier to decide on policy, review the design, and test it
all if there is one place/patchset with all of the latest bits/patches.
 Right not it's not that easy with different patches scattered around.

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.