On Thu, Jan 9, 2014 at 5:49 PM, Dominick Grift <dominick.grift@xxxxxxxxx> wrote: > On Thu, 2014-01-09 at 23:21 +0100, Dominick Grift wrote: >> On Thu, 2014-01-09 at 16:53 -0500, Daniel J Walsh wrote: >> Then leave the unlabeled isid for netlabel ( i think netlabel also uses >> the unlabeled isid ) >> >> That way we can also get rid of the inconsistency where "unlabeled" >> nodes are labeled with the object_r role. (nodes are active entities so >> i would argue the system_r role would be more sensible for nodes) > > Not sure if it was peers, nodes or both but i know i was a little > annoyed by the inconsistency. I like consistency and intuitiveness. > > ( on a side note: "system_u:object_r:node_t" is also associated with the > node isid currently, not sure if "system_u:system_r:node_t" would be > more appropriate -- same for netlabel_peer i guess ) > >> Then maybe while we are at it also see if we can fix that isid ordering >> issue. If one in ones policy messes up the ordering of the isid context >> specs one gets all kinds of weird behavior. > > Not the isid contexts specification ordering but the isid declarations > ordering (in the initial_sids file) In general I'm not opposed to reworking the initial sid bits, including adding/removing initial sids, but it's pretty low on my priority list as there are still bugs that need squashing. I also haven't dug into the toolchain aspect of the initial sid stuff, that could change my opinion. -- paul moore www.paul-moore.com _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
