Stephen Smalley wrote:
> Upgrade of base usually reflects a full policy update, whereas
> inserting a random module does not. And if base doesn't work (e.g.
> doesn't have the capabilities it requires), then the system likely
> won't boot or function at all (modulo legacy rules). I'm more
> comfortable with letting base dictate the policy capabilities than
> other modules.

So if I understand correctly you are suggesting we restrict the declaration of policycaps to base. I have a version of the patch set that does this--attempting to set a policycap in a module other than base results in a syntax error from checkpolicy. If that is how we want to proceed I can send it out, the differences from the last one are minor as you might expect.

• todd

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.