Re: Update to docs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Attached is a patch to help address the need for better per-device maintainability.
Here are some general notes concerning functionality.

- An 'sepolicy' subdirectory is now required under device directories.
- Two per-device product variables are now available: PRODUCT_SEPOLICY_REPLACE and PRODUCT_SEPOLICY_UNION.
  These variables should be set somewhere within one of your device specific makefiles.
- No longer allow an 'sepolicy.' prefix (except *te files). Under the sepolicy directory, names revert back to their original
  forms( i.e. file_contexts, property_contexts, genfs_contexts). te files may be named with whatever prefix is deemed
  appropriate but must end with '.te'.
- When listing a policy file in PRODUCT_SEPOLICY_REPLACE the entire original file is replaced. This patch doesn't offer any
  type of surgical strike inside policy files. So in most case you'll have to copy over the original file first then make your
  rule/label change(s).
- Unions work just as with the previous functionality, appended to the end. 

As always, I welcome any additional ideas or comments.

On Fri, Sep 14, 2012 at 4:28 PM, Radzykewycz, T (Radzy) <radzy@xxxxxxxxxxxxx> wrote:
Sounds good.  I haven't thought about the implementation at all.

________________________________________
From: Stephen Smalley [sds@xxxxxxxxxxxxx]
Sent: Friday, September 14, 2012 9:29 AM
To: Radzykewycz, T (Radzy)
Cc: William Roberts; selinux@xxxxxxxxxxxxx; Craig, Robert P.
Subject: Re: Update to docs

On Fri, 2012-09-14 at 16:19 +0000, Radzykewycz, T (Radzy) wrote:
> There have been a couple times when I wanted to remove a rule from the
> system policy for a specific BSP.  So I guess I would vote for
> override if I need to choose one or the other.  But would it be
> reasonable to allow both overrides and concatenates ?  That would be
> my preference.

Maybe we could provide two variables definitions in the makefiles, one
for policy files that should replace/override and one for policy files
that should concatenate/union with the base policy files?

--
Stephen Smalley
National Security Agency



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.

Attachment: external_sepolicy.patch
Description: Binary data

[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux