[refpolicy] constraints as modules
Russell Coker
russell at coker.com.au
Thu Jul 1 20:15:11 CDT 2010
On Tuesday 01 June 2010 22:39:06 Chris PeBenito wrote:
> > I think it would be ideal if the difference between a MLS system and an
> > MCS system was a single module containing constraints.
>
> While I would agree, there are other issues. The MLS information for
> labeling, range_transitions, users, etc. would also have to be enabled
> on all modules, and then stripped if MLS is disabled. On top of that
> how would you handle MLS vs. MCS since they use the same (MLS) field?
Most modules don't have anything special in relation to MCS or MLS, it's all
TE.
For the modules that do something special you could have two optional
sections, one for MCS and one for MLS. Just as a module can have optional
sections for MySQL and PostgreSQL and use the one that's installed a module
can use MCS or MLS depending on which is installed. The only difference being
that removing one of MCS/MLS and installing the other would have to be be an
atomic operation. For the sake of sanity I suggest not having
mcs/constraints.pp and mls/constraints.pp.
More information about the refpolicy
mailing list