On Wed, 1 Apr 2009, Jarrett Lu wrote: > > With SELinux systems, policies do not need to be identical to be > > considered part of the same DOI. Generally, labels need to remain > > semantically equivalent (i.e. mean the same thing on each system), and the > > policies need to be managed within the same administrative boundary. > > Systems may restrict which labels they'll interpret from remote systems > > (similar to root_squash). > > > > > > Understood. My point is that a signature on a policy file may not always be > the right tool to determine whether label translation should be done. When > policies are different on two systems, how does one system know labels or > types are semantically equivalent or not? This should be determined via the DOI. > Are you also saying that DOI is tied > to administrative boundary, and the fact that systems using the same DOI > implies the label and type definitions in each policy are always semantically > equivalent? For DOIs designed to function like this, yes. i.e. it's not a property inherent to DOIs, but of how they're administered. - James -- James Morris <jmorris@xxxxxxxxx> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
