Harry Ciao wrote:
Hi Joshua,
Joshua Brindle 写道:
HarryCiao wrote:
<snip>
The implementation of the save-linked option has no idea about the effort to
separate tunables from booleans, so I am afraid it won't help much.
I'm not sure about this. The linked policy should have everything that the
original modules had, with only the value mapping changed. The expansion is
where things get removed. This behavior should not change for a variety of
reasons, including the ability to do a full semantic analysis of the linked policy.
I can't agree more that the linked module has everything but with the
identifiers' value remapped, actually the separate_tunables() is called
at the very end of link phase, which would do three operations:
1. change the flags for some cond_bool_datum_t;
2. change the flags for some cond_node_t;
3. re-link the effective branch of a tunable conditional, to the end of
its home decl->avrules list;
The 1st and 2nd operations won't stand in the way of any analysis, and
we could set the "handle-tunable = preserve" option in semanage.conf to
bypass the 3rd one.
We should defer the movement of effective rules to the main avrules list
until expand, I hate adding even more side effects to link than already
exist (it needs to just link, not move stuff around, not remove things,
not change the effective policy, etc).
You can do it as a first step to expand, it should entail just moving it
from link.c to expand.c and adding it to the expand_module function.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
