From: Joshua Brindle <method@manicmethod.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil>, selinux@tycho.nsa.gov
Subject: Re: [PATCH 1/3] libsepol: Add support for multiple target OSes
Date: Wed, 07 Oct 2009 14:48:18 -0400 [thread overview]
Message-ID: <4ACCE272.1070303@manicmethod.com> (raw)
In-Reply-To: <1254937078.2251.286.camel@moss-pluto.epoch.ncsc.mil>
Stephen Smalley wrote:
> On Tue, 2009-10-06 at 10:20 -0400, Joshua Brindle wrote:
>> Paul Nuzzi wrote:
>>> On Wed, 2009-09-16 at 09:58 -0400, Joshua Brindle wrote:
>> <snip>
>>> Thanks for your input. Below is the updated patch for libsepol.
>>>
>> A quick look through looks good. I'd like to test it out a bit, do you
>> have a Xen policy somewhere I can use for testing?
>>
>> Also, I notice that this only lets you write out a "kernel" policy for
>> Xen, but it might be beneficial to write out a base policy for testing,
>> development, analysis, etc.
>
> The Xen Flask policy lives in the xen-unstable tree; Paul has a patch to
> update the Xen Flask module to support this new policy string identifier
> and the new ocontext records and to update the policy there, but you'd
> have to apply that patch to xen-unstable and build it.
>
I'll leave the Xen Flask Module part to you guys, I just wanted to build
a Xen policy and do some poking around on it to see if it looks right.
> In terms of base policy, if you mean modular base policy, we'd have to
> introduce multiple string identifiers for it in the same way as the
> kernel policy format, and I couldn't see the benefit of doing that when
> the module format is going to be replaced in the not-too-distant future.
> And what precisely is the benefit of writing a base policy vs. a kernel
> policy now that policy.24 includes attribute names and preserves
> attributes in allow rules (aside from certain cases, like type set
> exclusion aka minus)?
That is fine, I was just thinking it is nicer to put a base module into
setools than a kernel policy but there is a good chance that won't work
anyway since setools won't know about the new ocontexts and might freak
out (completely untested).
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2009-10-07 18:48 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-09-15 16:15 [PATCH 1/3] libsepol: Add support for multiple target OSes pjnuzzi
2009-09-15 16:37 ` [PATCH 2/3] checkpolicy: " pjnuzzi
2009-09-15 16:40 ` [PATCH 3/3] sepolgen: " pjnuzzi
2009-09-29 14:06 ` [PATCH 2/3] checkpolicy: " Paul Nuzzi
2009-09-16 13:58 ` [PATCH 1/3] libsepol: " Joshua Brindle
2009-09-16 17:44 ` Paul Nuzzi
2009-09-16 19:01 ` Stephen Smalley
2009-09-29 14:03 ` Paul Nuzzi
2009-10-06 14:20 ` Joshua Brindle
2009-10-07 17:37 ` Stephen Smalley
2009-10-07 18:48 ` Joshua Brindle [this message]
2009-10-13 19:56 ` Joshua Brindle
2009-10-14 19:38 ` Joshua Brindle
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4ACCE272.1070303@manicmethod.com \
--to=method@manicmethod.com \
--cc=pjnuzzi@tycho.ncsc.mil \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.