On Wed, May 10, 2017 at 8:58 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > I'm not proposing introducing policy capabilities for those commits > retroactively; I don't think that would be productive now that they are > already in upstream kernels and policies. I just wanted to determine > whether or not we think similar changes in the future should be wrapped > with policy capabilities. > > If so, then I think that motivates lighter weight policy capabilities, > as otherwise for each of these changes (and others too - e.g. probably > the prlimit change) we would have been in the same position as with > extended_socket_class, i.e. waiting for a release of libsepol that > defines the new policy capability, requiring refpolicy to add a > dependency on that specific libsepol version before it could be enabled > by default, waiting for Fedora to update to that version, etc. That's fine with me. As I said earlier, I'm not opposed, I just wanted to make sure this is a definite "must have". -- paul moore www.paul-moore.com
