On Fri, Feb 14, 2020 at 8:22 AM Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
> On 2/14/20 7:46 AM, Ondrej Mosnacek wrote:
> > On Wed, Jan 29, 2020 at 5:42 PM Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
> >> Fully decoupling the policy and kernel initial SID values will
> >> require introducing a mapping between them and dyhamically
> >
> > Nit: s/dyhamically/dynamically/
>
> Ah, thanks; will fix if I need to re-spin.
Normally this would fall under the category of something I could
fix-up during a merge, but I think there are a few changes, mostly
documentation, that we should add to this patch.
First off, I know MLS is the policy everyone wants to forget, but it
*is* used so let's not cause them any more pain then they are already
feeling. That should add a few initial SIDs back into the list, but I
think it still frees up plenty.
Second, when we load the initial SIDs, in policydb_load_isids(), you
show an error if one of these isid's is assigned a context:
+ if (sid == SECSID_NULL) {
+ pr_err("SELinux: SID null was assigned a context.\n");
... I would suggest that we also display the SID number like below so
that policy devs have a better idea of which isid is causing the
problem:
+ if (sid == SECSID_NULL) {
+ pr_err("SELinux: SID null(%u) was assigned a context.\n", sid);
Lastly, and most importantly, there is a lot of good discussion,
including a "roadmap" in the GH issue, let's try to capture that in
this patch description (maybe minus your retirement plans Stephen
<g>). I have no idea where GH may be in a few years, but the git log
is FOREVER ;)
--
paul moore
www.paul-moore.com
