On 01/08/2014 03:44 PM, Steve Lawrence wrote: > As has been posted to this list before in the past, we have made a lot > of progress with CIL [1]. Although we are still making changes, we are > now capable of building SELinux binary policies from CIL versions of > refpolicy and SEAndroid policy. A related project that we are working > on, and the purpose of this RFC, is to modify SELinux userspace to > include the CIL and the Source Policy work completed a few years ago. > We have completed a preliminary integration, so we are sending out this > RFC to start discussions and ask questions. To start it off, what is in > the way of getting these branches merged into master, and how can we > help mitigate that? Are the any changes that you question? Can we find > a work around? > > Instead of sending the patchset to this list (54 commits, 4000 > insertions, 2000 deletions), all the changes are pushed to the selinux > git repository to the following three branches, each one building on the > other. The branches and their purpose is described below: > > src-revert: > Reverts changes made to master that conflict with the src-policy > branch (e.g. how paths are handled, enabled/disable modules). Rather > than dealing with a large amount of conflicts, it was easier to just > remove the commits which add conflicting features, rebase the old > source policy work on top of that, and add back any features that in > manner consistent with source policy. This also reverts the preserve > tunables patchset, but as I look at it while typing this, I realize > that was unnecessary. Aside from numerous conflicts and the need to > add CIL support, the only real issue is that the preserve tunables > feature uses the -P flag, which source policy uses for priority. So I > guess we'll have to pick a different letter. Obviously we'll need that support as it is used. > integration: > This branch builds CIL into libsepol, and updates libsepol, > libsemanage, semodule, and semanage to work with and understand only > CIL files. Switching to CIL has a few side effects, such as removing > base modules, versions, upgrades, adding configuration options to > semanage.conf, etc. This also removes support for binary .pp modules. So what's the transition plan for distributions with existing binary .pp modules, some of which will be locally generated by users? _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
