On Wed, May 17, 2017 at 4:45 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > On Wed, 2017-05-17 at 15:39 -0400, Paul Moore wrote: ... >> Isn't that the right thing to do anyway? You shouldn't use a policy >> with a policy capability on a kernel that has no knowledge of the >> policy capability for the reasons we've already discussed. I'm also >> going to guess that this isn't as large a problem as we may be making >> it out, distributions should catch this problem fairly quickly in >> their development process and those that are savvy enough to load >> their own policy should know how to handle this as well. > > Possibly I overstated the seriousness of using a policy with an unknown > policy capability ;) There ya go, you just made me threaten to fail the policy load to get here ;) > Historically we have preserved compatibility in > policies so that old kernels continued to work correctly even if they > do not support the capability, and you would only lose out on the > ability to leverage that capability for improved access control. Yes, I agree that I don't think this is a serious issue with any of the existing policy capabilities. > I don't think we can/should rely on the distributions to ensure that > users don't end up with unbootable systems ... I obviously agree, how could one not? However, I also think we need to take a realistic view of distributions that take use rather extreme default configurations and don't ensure that their updates are properly managed. I don't see the point in arguing every possible combination in this thread (I think we all have other more important things to do, at least I hope we do), but I don't want to be held responsible if a distro shoots *itself* in the foot. >> > A warning seemed like a reasonable middle ground between silently >> > ignoring unknown policy capabilities (as the kernel currently does >> > before this patch) and rejecting the policy altogether. WARN vs >> > INFO >> > was due to the fact that an unknown capability seemed more >> > significant >> > and potentially an indicator of a kernel/policy mismatch than the >> > state >> > of the known policy capabilities. > > Still think warning is best. Willing to degrade to info. Not willing > to fail on policy load. INFO please. -- paul moore www.paul-moore.com
