From: Joshua Brindle <method@manicmethod.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Chad Sellers <csellers@tresys.com>,
Karl MacMillan <kmacmillan@mentalrootkit.com>,
Daniel J Walsh <dwalsh@redhat.com>,
selinux@tycho.nsa.gov
Subject: Re: Deprecating setlocaldefs, preservebools support in libselinux
Date: Thu, 24 Jan 2008 16:02:57 -0500 [thread overview]
Message-ID: <4798FD01.9060807@manicmethod.com> (raw)
In-Reply-To: <1201203958.21288.120.camel@moss-spartans.epoch.ncsc.mil>
Stephen Smalley wrote:
> I'd still like to deprecate setlocaldefs support and preservebools
> support in libselinux in the trunk (i.e. libselinux 2.x). I posted
> patches for completely removing such support a long while ago, but those
> particular patches would require an ABI change (as they include API
> removal) and thus I held off on them, but we could also take the more
> intermediate approach of just turning off the functionality by default
> in libselinux without disturbing the ABI.
>
> As a refresher, setlocaldefs support refers to the support for pulling
> in local boolean and user definitions at policy load time w/o managed
> policy, i.e. the approach used in RHEL4 and Fedora 3 and 4 (but not in
> Fedora 5 and later or RHEL5). By default, libselinux still checks for
> such definitions and patches them into the in-memory policy at load time
> unless /etc/selinux/config has SETLOCALDEFS=0. I'd like to make
> SETLOCALDEFS=0 the default in the trunk and require SETLOCALDEFS=1
> in /etc/selinux/config to enable the old behavior.
>
> preservebools support refers to the support for preserving active
> boolean values across a policy reload by having libselinux patch the
> active values into the in-memory policy at policy load time. As of
> Linux 2.6.22 and later, this is now handled automatically by the kernel
> as part of the policy reload and isn't needed in userspace. I'd like to
> also disable this by default in libselinux and perhaps allow it to be
> enabled via some /etc/selinux/config setting.
>
> Thoughts?
>
I'm fine saying its deprecated but CLIP currently uses an updated
toolchain for both RHEL5 and RHEL4 (adds policy management capabilities
to RHEL4) so removing the boolean preservation functionality would be
detrimental. setlocaldefs isn't used very often afaik but we sometimes
build systems where the use of 'managed policy' is objected to, in which
case the only way to add users is via users.local. With this in mind
we'll just have to be careful when upgrading the CLIP toolchain not to
use a version that eventually removes this support.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2008-01-24 21:02 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-01-24 19:45 Deprecating setlocaldefs, preservebools support in libselinux Stephen Smalley
2008-01-24 19:49 ` Stephen Smalley
2008-01-24 21:02 ` Joshua Brindle [this message]
2008-01-24 21:07 ` Stephen Smalley
2008-01-24 21:12 ` Chad Sellers
2008-01-24 21:25 ` Stephen Smalley
2008-01-24 21:30 ` Chad Sellers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4798FD01.9060807@manicmethod.com \
--to=method@manicmethod.com \
--cc=csellers@tresys.com \
--cc=dwalsh@redhat.com \
--cc=kmacmillan@mentalrootkit.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.