Joshua Brindle 写道: > Harry Ciao wrote: >> Hi Joshua, >> >> Joshua Brindle 写道: >>> HarryCiao wrote: >>> <snip> >>> >>>> The implementation of the save-linked option has no idea about the >>>> effort to >>>> separate tunables from booleans, so I am afraid it won't help much. >>>> >>>> >>> I'm not sure about this. The linked policy should have everything >>> that the >>> original modules had, with only the value mapping changed. The >>> expansion is >>> where things get removed. This behavior should not change for a >>> variety of >>> reasons, including the ability to do a full semantic analysis of the >>> linked policy. >>> >>> >> I can't agree more that the linked module has everything but with the >> identifiers' value remapped, actually the separate_tunables() is called >> at the very end of link phase, which would do three operations: >> 1. change the flags for some cond_bool_datum_t; >> 2. change the flags for some cond_node_t; >> 3. re-link the effective branch of a tunable conditional, to the end of >> its home decl->avrules list; >> >> The 1st and 2nd operations won't stand in the way of any analysis, and >> we could set the "handle-tunable = preserve" option in semanage.conf to >> bypass the 3rd one. >> > > We should defer the movement of effective rules to the main avrules > list until expand, I hate adding even more side effects to link than > already exist (it needs to just link, not move stuff around, not > remove things, not change the effective policy, etc). > > You can do it as a first step to expand, it should entail just moving > it from link.c to expand.c and adding it to the expand_module function. > Alright, I have moved it from the very end of link_modules() to the very first of expand_module(). Would send the v1 patch along with manipulating sepol handle. Thanks, Harry -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
