Installing new policy?
Russell Coker
russell at coker.com.au
Tue Mar 9 11:57:27 UTC 2004
On Tue, 9 Mar 2004 18:11, "Stephen C. Tweedie" <sct at redhat.com> wrote:
> On Tue, 2004-03-09 at 04:33, Russell Coker wrote:
> > One possibility is to replace files that have not been changed. However
> > that means that if a macro changes without the calling code changing then
> > it could break policy compiles.
>
> That's basically what %config will do in rpm. It's probably the
> simplest default behaviour for things like tunables.te.
Yes, that will work quite well for tunable.te except when we add a new entry
that defaults to enabled. If we produce a new policy that has
define(`do_whatever') in the default tunable.te then users of the old policy
won't get it. This may make things more difficult for us. But I guess we
could make every default be a non-define (IE if you keep the old tunable.te
you get the new default).
More difficult is macros/program/ directory, if someone changes files in that
then the upgrade becomes a lot more difficult to manage.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
More information about the fedora-selinux-list
mailing list