On Tue, 9 Mar 2004 18:11, "Stephen C. Tweedie" <sct@xxxxxxxxxx> wrote: > On Tue, 2004-03-09 at 04:33, Russell Coker wrote: > > One possibility is to replace files that have not been changed. However > > that means that if a macro changes without the calling code changing then > > it could break policy compiles. > > That's basically what %config will do in rpm. It's probably the > simplest default behaviour for things like tunables.te. Yes, that will work quite well for tunable.te except when we add a new entry that defaults to enabled. If we produce a new policy that has define(`do_whatever') in the default tunable.te then users of the old policy won't get it. This may make things more difficult for us. But I guess we could make every default be a non-define (IE if you keep the old tunable.te you get the new default). More difficult is macros/program/ directory, if someone changes files in that then the upgrade becomes a lot more difficult to manage. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
