|
Hi Steve,
It's NICE to hear back from you:-) Please see my replies below. > Date: Fri, 22 Jul 2011 15:51:37 -0400 > From: slawrence@xxxxxxxxxx > To: harrytaurus2002@xxxxxxxxxxx > CC: cpebenito@xxxxxxxxxx; method@xxxxxxxxxxxxxxx; selinux@xxxxxxxxxxxxx > Subject: Re: v3 Add role attribute support to libsepol > > --snip-- > > >> > >>> > 2. The policy.X's binary representation and SELinux kernel role_datum_t > >>> > structure don't have to be changed, so the max version number for > >>> policy.X > >>> > won't have to be bumped. > >>> > > >>> > But it may be desirable to bump the max module version number. > >>> > > > > > Write flavor flag and roles ebitmap into a pp file and read them out unconditionally, this would only run into problem only under o! ne condition, that libsepol/checkpolicy are upgraded with this patchset but the pp files are built before the upgrade took place, which I think could be easily fixed by re-building all pp files by the upgraded libsepol/checkpolicy. > > > > So I think we don't have to bump MOD_POLICYDB_VERSION_MAX higher. > > > > Am I right? > > > > BTW, how do we trigger a pp downgrade? Anything like OUTPUT_POLICY or policy-version to trigger policy downgrade? > > > > Thanks, > > Harry > > > > There isn't a tool that can force a policy module downgrade, but it can > be done programmatically, so it should be supported. Additionally, it > shouldn't require that modules be rebuilt if the toolchain is updated. > So please add a new module version and check that before reading/writing > the new role attribute information. Yep, I've got your point. Turns o! ut it would be very easy to trigger module downgrade, for example, sim ply by adding one line of: policyvers = MOD_POLICYDB_VERSION_MAX - 1; in write_binary_policy() in checkmodule.c. I have introduced a new MOD_POLICYDB_VERSION_ROLEATTRIB(== 13) and bump MOD_POLICYDB_VERSION_MAX to it, all tests passed and I would send out the v4 patchset next Monday. > > Aside from that, I've reviewed this patchset and everything looks > reasonable. I still want to test this a little more, but assuming I > don't see any any issues with a little more testing, and pending a fix > for a module version bump, I'm fine with merging this. > Many thanks for all your(and others) help on this patchset for the last two months, any further comments or issues you may have just let me know. BTW, once these patchset is applied, we would have to change refpolicy to declare nx_server_r and unconfined_r explicitly, since the role-types rule would be made no longer to declare a role, we should use the new role-attr rule instead to declare them(just "role nx_server_r" and "role unconfined_r" before they are ever used). Best regards, Harry > - Steve > > -- > This ! message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with > the words "unsubscribe selinux" without quotes as the message. |
