On Wed, Sep 26, 2012 at 2:40 PM, Robert Craig <robertpcr...@gmail.com>wrote:
> Attached is a patch to help address the need for better per-device > maintainability. > Here are some general notes concerning functionality. > > - An 'sepolicy' subdirectory is now required under device directories. > - Two per-device product variables are now available: > PRODUCT_SEPOLICY_REPLACE and PRODUCT_SEPOLICY_UNION. > These variables should be set somewhere within one of your device > specific makefiles. > - No longer allow an 'sepolicy.' prefix (except *te files). Under the > sepolicy directory, names revert back to their original > forms( i.e. file_contexts, property_contexts, genfs_contexts). te files > may be named with whatever prefix is deemed > appropriate but must end with '.te'. > - When listing a policy file in PRODUCT_SEPOLICY_REPLACE the entire > original file is replaced. This patch doesn't offer any > type of surgical strike inside policy files. So in most case you'll have > to copy over the original file first then make your > rule/label change(s). > - Unions work just as with the previous functionality, appended to the > end. > > As always, I welcome any additional ideas or comments. > > On Fri, Sep 14, 2012 at 4:28 PM, Radzykewycz, T (Radzy) < > ra...@windriver.com> wrote: > >> Sounds good. I haven't thought about the implementation at all. >> >> ________________________________________ >> From: Stephen Smalley [s...@tycho.nsa.gov] >> Sent: Friday, September 14, 2012 9:29 AM >> To: Radzykewycz, T (Radzy) >> Cc: William Roberts; seli...@tycho.nsa.gov; Craig, Robert P. >> Subject: Re: Update to docs >> >> On Fri, 2012-09-14 at 16:19 +0000, Radzykewycz, T (Radzy) wrote: >> > There have been a couple times when I wanted to remove a rule from the >> > system policy for a specific BSP. So I guess I would vote for >> > override if I need to choose one or the other. But would it be >> > reasonable to allow both overrides and concatenates ? That would be >> > my preference. >> >> Maybe we could provide two variables definitions in the makefiles, one >> for policy files that should replace/override and one for policy files >> that should concatenate/union with the base policy files? >> >> -- >> Stephen Smalley >> National Security Agency >> >> >> >> -- >> This message was distributed to subscribers of the selinux mailing list. >> If you no longer wish to subscribe, send mail to majord...@tycho.nsa.govwith >> the words "unsubscribe selinux" without quotes as the message. >> > >
