On Tue, 2008-07-08 at 08:30 -0400, Stephen Smalley wrote: > On Tue, 2008-07-08 at 12:13 +0200, Christian Kuester wrote: > > Stephen Smalley schrieb: > > >> [ netmask semantic in nodecon ] > > > Ok, this isn't actually a bug in the code at all. > > > > I see. Thanks for clearing that up for me! > > > > > Arguably semanage and checkpolicy should apply the mask to the address > > > as a precaution against misconfiguration by the user. That's easy > > > enough to do. > > > > > > Other tidbits on the semanage patch that I noticed: > > > - semanage node -l was broken, requires additional argument that has > > > been added to the list methods subsequently. Also would be nice to > > > support locallist/-C option. > > > - semanage node -p option should take a string rather than an integer > > > and map it to the proper symbolic constant for ipv4/ipv6. > > > The ordering issue is a red herring at least for this example as the > > > sort is only applied to the local entries, and then they are merged to > > > the front of the policy-provided definitions. Which may become an issue > > > down the road particularly if we move object contexts to modules. > > > > I think I could do the changes to at least the semanage code, if there > > is still interest in it. > > > > But I must admit, that my understanding of the "ordering issue" is quiet > > limited and my list research on an explaination was unsuccessful so far. > > Is this a blocker for general semanage support of nodecons? > > I think it is fine to proceed with merging the semanage support, and > then we can further investigate and seek to resolve the ordering issues. > > Please be sure to test each of the nodeRecords methods. Are you still pursuing getting this cleaned up and merged? > Dan and/or Joshua - it would help if you could look it over as well. > -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
