On Fri, 2003-05-02 at 16:53, David Wheeler wrote: > One comment I have is that it'd be nice to improve the user-level tool > that compiles security policy definitions into the file used by the > SELinux security module. I freely admit that this is a different level > than the security module - and can be modified separately - but > it'd be nice to make the language a little simpler NOW than wait. As you note, the language definition is independent of the module implementation (unless we add an entirely new feature set) and only requires changes to the policy compiler (checkpolicy). The purpose of the RFC is to get comments from the kernel developers on the module implementation before submitting it for inclusion in mainline 2.5. Several of your suggested changes were eventually adopted into the language or policy structure, typically after others also requested them publically on the selinux list, e.g. empty statements (;), explicit declarations of attribute names, partitioning file contexts configuration into multiple files, nested braces, dontaudit rules. With regard to further changes to the language, they now have to be vetted by the SELinux community, as there are already a number of policy tools developed and in development based on the current language. It is also the responsibility of the proposer to provide at least a rough patch demonstrating their idea, as we do not have time to do this ourselves. -- Stephen Smalley <sdsat_private> National Security Agency _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Mon May 05 2003 - 11:46:19 PDT