On Wed, 2010-04-21 at 21:53 -0400, Karl MacMillan wrote: > The > attached patch adds attribute handling to sepolgen. It's only lightly > tested but I wanted you to get it sooner rather than later. Evidently this patch has made its way into F-13 and RHEL-6, although it is still not upstream. Some concerns/questions: - This creates a dependency of sepolgen-ifgen on a specific policy. Previously it was only dependent on the headers. But this will mean that the data generated by sepolgen-ifgen and used by sepolgen could easily differ for targeted vs mls even if they use the same headers. Do we need per-policy data directories for sepolgen? - It should be possible to load a specified policy file rather than always using the active one. - You are using the latest policy version supported by the kernel rather than the one supported by libsepol. See audit2why.c or load_policy.c in libselinux to see how they determine the right policy version to use by default. Otherwise this will break when we have divergence between the libsepol and kernel supported policy versions (i.e. whenever we next introduce a new policy version). - This creates another user of the static libsepol. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
