2017-05-23 21:11 GMT+02:00 Paul Moore <paul@xxxxxxxxxxxxxx>: > On Tue, May 23, 2017 at 12:29 PM, Sebastien Buisson > <sbuisson.ddn@xxxxxxxxx> wrote: >> Another way could be to add another hook to check policy brief info >> validity. It would take a string as an input parameter, and return 0 >> if it matches the current policy. So Lustre client code would >> systematically call this hook, and only call security_policydb_brief() >> when the policy has changed, to store the current value internally. > > I'm not sure I like this approach as much as the one above, for a > variety of reasons. Is this option more desirable from a Lustre point > of view? It is true that now that the notification code is present in the selinux/next branch, it is worth using it. I was thinking, but I may be wrong, that future inclusion of this series of patches in some distributions' kernels like CentOS or RedHat would be easier if it did not have dependencies on other patches. This is why I thought about an alternative solution. Technically speaking, the solution based on notifications can fit the Lustre needs, letting Lustre maintain its own sequence number as you suggest. Sebastien.
