On 15-10-27 09:37:56, Dmitry Kasatkin wrote: > > What I just ask is when we can get concurrent writers?
Yes. I think Mark Baushke just did that. > I think system is updated by updating image or packages. Nope, ours isn't using the conventional mechanism of "packages". > In the first case policy update comes with the new image and loaded on reboot. No reboots for high availability hardware/software. We ain't talking PCs here. > in the second case, keys, policy and software comes with packages. > Before new software (signed with new key) can be used, keys and policy > needs to be loaded. > The order is important - first keys, policy, then software can be > installed and used. I do agree - order is very important. The vendor's keys, policy, etc. comes first, then everyone else's. With adequate documentation in hand it is trivial to add new keys/rules when, for example, new software arrive. > Packages are usually installed in ordered manner (not concurrently). > Basically policy writing will happen also in ordered manner. I don't like relying on user-space for doing things the right way. And the machines we're talking about can't guarantee policy writes will happen in any particular order, except for the vendor's, which unconditionally comes first. > So what I claim, is that there are no concurrent policy writers. Er, i think we kind of cleared this one. :) cheers, Petko -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
