On Fri, 2009-04-10 at 17:43 +0500, Alexey S wrote: > On Thu, Apr 09, 2009 at 11:28:03AM -0400, James Carter wrote: > > I am looking at improving the policy infrastructure. The ultimate goal > > is to make SELinux policy writing, policy customization, policy > > management, and administration easier and less confusing. My focus will > > be on the userspace parts of SELinux. > > > > My plan to do this is as follows: > > (1) Determine and enumerate the existing problems of the current > > infrastructure. > > (2) Determine the desired capabilities and architecture of the ideal > > infrastructure. > > (3) Determine the changes needed to the current architecture to fix the > > current problems and to provide the desired capabilities. > > (4) Make the policy infrastructure as close to the ideal as possible > > while providing some kind of backwards compatibility and taking other > > practicalities into consideration. > > > > I have had some informal discussions with others internally and at > > Tresys, and the five emails to follow have my summary of the problems > > that have been identified in those discussions. > > > > My hope is that there will be a good discussion and that others on the > > list will identify other problems and provide more details or examples > > to the problems already identified. > > May I put my 5cents? > It would be great if mapping of domain attributes to numbers be preserved > somewhere during linking/expanding of modules into binary policy. > And if libqpol-based tools would be able to use that mapping when displaying > their results. > Otherwise it is too confusing to see @ttr0121 instead of domain_type during policy > analysis, especially when numbers change after module (re|un|)load. policy.24 already makes this change (preservation of attribute names in the types symtab in the final kernel policy). You can however already see the attribute names with policy < 24 by running apol and friends on the modular policy rather than the final kernel policy. > PS: Could binary policy have 'debug' segments, that are not loaded into kernel, > but persist in a file? > PPS: Have I missed something somewhere? It is so obviously inconvenient, so > I don't believe it's only me requesting this thing. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
