On Wed, 2008-07-16 at 19:44 +0200, David Härdeman wrote: > On Wed, Jul 16, 2008 at 01:13:03PM -0400, Daniel J Walsh wrote: > >David Härdeman wrote: > >> While working on SELinux-enabling a Debian system, I often Google for > >> avc messages that show up in dmesg and 90% of the time it seems that the > >> problem has already been solved in Fedora's version of the refpolicy but > >> not in the upstream version. > ... > >> The question is how to treat the patches after that? Should I post them > >> as I go through them (a couple per day for a couple of weeks?) and hope > >> that someone at Tresys will apply them? [...] > I guess what I'm really wondering is if I can help you in some way? The main points which would improve upstreaming efficiency from Dan's set are: 1. description / justification What this means tends to vary depending on what access is added by a patch. A patch that allows reading of usr_t files probably doesn't need a big description while a patch that allows reading shadow_t does. "myapp breaks without this rule" isn't a very good explanation, especially if the access is questionable. The app may be incorrectly requesting extra access or it might be a bug in the app. 2. style The changes need to meet the refpolicy style guidelines. Dan is pretty good about this, but with the volume, things still get by. 3. patch composition A patch should be a changeset. So if a rule is added to a bunch of domains for the same reason, then that should be in a single patch by itself. If you add an interface so some modules can call it, that should be a single patch that includes the new interface and the additions to the callers. This enables me to review the change as a whole, and not have distractions from unrelated changes. A set of small fixes to a single module can be a single patch. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
