Stephen Smalley wrote: > Is that the right place to check it (vs. upon sepol_policydb_set_vers, > although checkpolicy/checkmodule don't presently use that)? We could do it both in sepol_policydb_set_vers as well as in checkpolicy (checkmodule doesn't allow the user to specify the version so I don't think there is a need for a check there). There is an advantage in doing the check in checkpolicy as the user would be warned much earlier. Unfortunately, I don't think we can call ERR() from sepol_policydb_set_vers which means the user won't get a useful error message from, e.g. semodule. The user ends up with a confusing error like this: libsepol.policydb_read: policydb module version 7 does not match my version range 4-6 libsepol.sepol_module_package_read: invalid module in module package (at section 0) libsemanage.semanage_load_module: Error while reading from module file /etc/selinux/refpolicy/modules/tmp/modules/acct.pp. /usr/sbin/semodule: Failed! > Also, what does this mean for automatic dowgrading of policy versions > at policy load time? For example, if booting an old kernel with a > newer policy that had MLS enabled. The question is whether or not automatic downgrading in this case really makes sense. I'm not convinced that it does. - todd -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
