On Wed, Jun 3, 2015 at 2:40 PM, Jeffrey Vander Stoep <jeffv@xxxxxxxxxx> wrote: > Ok, I have finished a revision that addresses your comments (will > email out shortly). You'll be happy to hear that I am using "extended > permissions" instead of "operations." > > I tried to focus on: > > -Creating a stable binary policy format that will work for ioctls and > netlink (and others) such that the policy version XPERMS_IOCTL will > remain valid if/when version XPERMS_NETLINK is added Great, thank you. I realize we may need to change it when we get there, but I appreciate the effort. > -Keeping the current version simple, don’t partially add logic for > selecting between ioctl/netlink in the AVC. I originally started > adding additional components to the avc structures, but a few > questions came up that Stephen and I did not know the answer to. It > makes sense to punt these decisions to if/when the netlink extended > permissions capability is actually added (saves memory in the > meantime). The internals can change as long as the binary policy is > stable. That sounds fine to me. -- paul moore www.paul-moore.com _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
