Stephen Smalley wrote: > Upgrade of base usually reflects a full policy update, whereas > inserting a random module does not. And if base doesn't work (e.g. > doesn't have the capabilities it requires), then the system likely > won't boot or function at all (modulo legacy rules). I'm more > comfortable with letting base dictate the policy capabilities than > other modules. So if I understand correctly you are suggesting we restrict the declaration of policycaps to base. I have a version of the patch set that does this--attempting to set a policycap in a module other than base results in a syntax error from checkpolicy. If that is how we want to proceed I can send it out, the differences from the last one are minor as you might expect. - todd -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
