Re: Installing new policy?

[Russell Coker <russell coker com au>]

On Tue, 9 Mar 2004 18:11, "Stephen C. Tweedie" <sct redhat com> wrote:
> On Tue, 2004-03-09 at 04:33, Russell Coker wrote:
> > One possibility is to replace files that have not been changed.  However
> > that means that if a macro changes without the calling code changing then
> > it could break policy compiles.
>
> That's basically what %config will do in rpm.  It's probably the
> simplest default behaviour for things like tunables.te.

Yes, that will work quite well for tunable.te except when we add a new entry 
that defaults to enabled.  If we produce a new policy that has 
define(`do_whatever') in the default tunable.te then users of the old policy 
won't get it.  This may make things more difficult for us.  But I guess we 
could make every default be a non-define (IE if you keep the old tunable.te 
you get the new default).

More difficult is macros/program/ directory, if someone changes files in that 
then the upgrade becomes a lot more difficult to manage.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page