On Wed, 2009-01-28 at 19:55 -0800, James Morris wrote: > These patches remove calls to secondary_ops where there is no > real capability hook, and a couple of SELinux hooks which only > called these noop hooks. These look fine to me, modulo the comments already made by Eric and Serge. You could further replace the remaining secondary_ops calls with direct cap_ calls, since the dummy module is gone and the secondary module can only be the capability module. Smack and AppArmor already do this, I believe. At that point secondary_ops would only be used by selinux_init() to save the original security_ops pointer for use by selinux_disable() to restore the original pointer, which ideally would be handled by the security framework instead (possibly by restoring a limited unregister_security() that resets to the default_security_ops). -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
