On Tue, 2004-04-13 at 09:14, Stephen Smalley wrote:
> On Mon, 2004-04-12 at 04:34, Russell Coker wrote:
> > Having multiple checkpolicy programs will probably be painful. We want all
> > the checkpolicy programs to understand the newest syntax (unless we have a
> > policy.conf for each policy version). This means that the old checkpolicy
> > will need to be updated any time there is a syntax change.
>
> I don't think so. Think of it as similar to the modutils and supporting
> both the old and new module interfaces. You have a single frontend
> checkpolicy script that invokes the right backend checkpolicy-`uname -r`
> binary that generates the corresponding policy version. You never have
> to update the older checkpolicy binaries; you just add new checkpolicy
> binaries for the newer kernels.

And, yes, this will require separate policy.conf files for the different versions, but that is going to be necessary anyway for significant changes to the policy. Even for the netlink class partitioning, you don't want to compile a newer policy.conf that has the fine-grained netlink classes with an older checkpolicy, as the best it could do would be to map them all to the old netlink class, possibly opening up unintended access.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.