> We really shouldn't have compatibility hacks when enabling policy > capabilities, policy capabilities *are* the compatibility hack by > allowing systems to continue to operate in the legacy mode until such > time as the policy has been converted. While this makes sense, as Stephen pointed out, neither Fedora nor Android will be able to quickly enable this capability in reality. What do you think about two alternative ideas for right things; just start to interpret wildcards without introducing a new capability, or introducing a new syntax that does wildcard full match such as `genfsconwildcard`? I made a typo in my previous mail, but the rationale of supporting wildcards without a new capability is that wildcard metacharacters have actually backward compatibility in the field of genfs. Pseudo filesystems don't contain "*" or "?" in file names, and supported non-pseudo filesystems, DOS and ISO 9660 doesn't allow these characters either.
