On 01/10/2014 09:49 AM, Paul Moore wrote: > On Friday, January 10, 2014 09:42:42 AM Stephen Smalley wrote: >> On 01/09/2014 06:07 PM, Eric Paris wrote: >>> I believe we need a new initial sid. SECINITSID_INVALID_LABEL.... >> >> Difficult (impossible?) to do in a fully backward compatible manner (to >> include the case of loading new policy on old kernel, whether initially >> or update/reload on an already running kernel with an older policy). > > Do we really need to worry about being able to load new policy into a old > kernel? In general I thought the backward compatible issue was that newer > kernels needed to support older userspace, not the other way around. Well, you'll at least need code in the kernel to handle the case where the policy does not define any new initial SIDs that you introduce in the policy, remapping them to e.g. unlabeled or something. And you likely want to ensure that people don't accidentally load new policy into old kernel and break things, whether by tying the new initial SIDS to a policy capability or policy version. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
