[refpolicy] [PATCH] Role type statements no longer declare the role
dac.override at gmail.com
Mon Apr 27 19:05:15 UTC 2015
On Mon, Apr 27, 2015 at 08:55:18PM +0200, Sven Vermeulen wrote:
> On Mon, Apr 27, 2015 at 08:05:35PM +0200, Dominick Grift wrote:
> > On Mon, Apr 27, 2015 at 08:03:03PM +0200, Dominick Grift wrote:
> > > Back in the older days, role type statements automatically declared the role. This was later changed.
> > >
> > > I expect that these macro date from that period and that they should be updated to declare the role.
> > This is just a RFC patch. its untested and the indent is not conform refpolicy style rules
> > just want to hear opinions
> I think I'm okay with the suggestion. At first I was wondering if it is more of
> cosmetic nature than actually necessary, but then I found that kernel.te
> is declaring the basic roles already as well, and that I had declared the
> role specifically in some other modules that I'm using.
> Do you think the default role declarations in kernel.te can be dismissed if
> your change is put through, or is the declaration of sysadm_r, staff_r, user_r
> and unconfined_r in kernel.te needed due to other dependencies?
> I can confirm that a duplicate role declaration does not seem to give any
> issues on 2.3 and 2.4 userspace, so the above question doesn't need to be
> answered before going forward with the change.
I suspect we could then, at least in theory, get rid of (at least some of the) declarations in kernel.te
Only way to really find out if to test it.
> Sven Vermeulen
> refpolicy mailing list
> refpolicy at oss.tresys.com
4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150427/952f06e9/attachment.bin
More information about the refpolicy