From: Paul M. <pau...@hp...> - 2011-03-07 16:22:53
|
On Monday, March 07, 2011 10:31:21 AM Ramon de Carvalho Valle wrote: > Hi Paul, > > On 03/03/2011 07:30 PM, Paul Moore wrote: > > On Thursday, March 03, 2011 8:03:38 AM Ramon de Carvalho Valle wrote: > >> Hi Paul, > >> > >> Could you hold the patch series? I will rebase and resend it after we > >> receive Dan's reply about role dominance. > > > > Sounds good. > > According to Chris PeBenito, role dominance was broken in modular > policy, and he can not remember if it was fixed. > > I saw some discussion in SELinux mailing list from early 2008 about > deprecating role dominance by role attributes. However, according to > Chris, it was never added. > > For now, I think it is better remove it and do the associations as it is > needed. What you think? Well, it sounds like we don't have much choice, do we? :) Sounds like some work may need to be done to add role attributes to refpol. > >> On 03/02/2011 08:43 PM, Paul Moore wrote: > >>> On Tuesday, March 01, 2011 12:55:40 PM Ramon de Carvalho Valle wrote: > >>>> From: Ramon de Carvalho Valle <rc...@br...> > >>>> > >>>> Signed-off-by: Ramon de Carvalho Valle <rc...@br...> > >>>> --- > >>>> > >>>> audit/utils/selinux-policy/lspp_test.te | 2 +- > >>>> 1 files changed, 1 insertions(+), 1 deletions(-) > >>>> > >>>> diff --git a/audit/utils/selinux-policy/lspp_test.te > >>>> b/audit/utils/selinux-policy/lspp_test.te index c164c3e..b0ef316 > >>>> 100644 --- a/audit/utils/selinux-policy/lspp_test.te > >>>> +++ b/audit/utils/selinux-policy/lspp_test.te > >>>> @@ -32,7 +32,7 @@ define(`ROLES_ALL',`sysadm_r secadm_r auditadm_r > >>>> staff_r') # the policy_module() and gen_require() statements. > >>>> > >>>> # > >>>> > >>>> -policy_module(lspp_test,0.5.7) > >>>> +policy_module(lspp_test,0.5.8) > >>> > >>> This is being very nit-picky, but I would think that moving from > >>> RHEL5.x to RHEL6.x would warrant at least a bump in the minor number > >>> if not a major number bump ;) > >>> > >>>> # we really shouldn't be accessing these policy constructs directly > >>>> but > >>>> > >>>> there # isn't always a policy interface available for what we want to > >>>> do, so just -- paul moore linux @ hp |