Colin Walters (walters@xxxxxxxxxx) said: > > I'm willing > > to bet that we'll get an application behavior change at some point > > that's going to end up making the policy require a specific version of > > some program. > > Why not have the package depend on a particular version of policy? It would have to be conflicts, actually. > > I don't think that they're really any more independent than the policy > > _should_ be. The policy for sendmail should have no relation to the > > policy for httpd. The two are orthogonal to each other. > > Not completely. Both of them use mta.te. If a security administrator > wanted to change how mta.te worked, and the policies were all maintained > centrally, they could modify both the sendmail.te and httpd.te files as > necessary before actually installing the packages. Otherwise they have > to wait to install the package to get the policy, and installing it > might fail due to the policy not compiling or something due to changes > in mta.te. httpd uses mta.te? It's a seriously bad name, then. Bill
