selinux January 2010 archive
Main Archive Page > Month Archives  > selinux archives
selinux: RE: [PATCH 13/13] semanage store migration script

RE: [PATCH 13/13] semanage store migration script

From: James Carter <jwcart2_at_nospam>
Date: Mon Jan 11 2010 - 20:45:01 GMT
To: Joshua Brindle <jbrindle@tresys.com>


On Mon, 2010-01-11 at 14:57 -0500, Joshua Brindle wrote:
> On 2010-01-11 James Carter wrote:
> > On Fri, 2010-01-08 at 16:27 -0500, Caleb Case wrote:
> <snip>
> >>>
> >>>
> >>> 3) I can't remove the permissive domain created before the migration
> >>> because the default priority level is 400, but the script put
> >>> everything at priority 100 and I don't know how to change the priority
> >>> for semanage.
> >>
> >> semanage hasn't been updated yet to let you specify priorities.
> >>
> > I noticed. ;)
> > So why does the migration script put everything into priority 100
> > instead of the default priority?
> >
>
>
> priority 100 is for policies distributed by the distro, 400 is default for user actions (eg., running semodule without adding a priority)
>
> I guess we could add some smarts to the migration script to put things like permissive modules and "local.pp" kinds of modules at 400.
>
> or add a list of modules distributed by red hat *shrug*
>
> I'm not sure any of these are good ideas, but they might soften the migration blow.
>

Oh wait. I was thinking that 100 was a higher priority. I couldn't understand why everything was migrated into a higher priority than the default. Now it makes sense.

It still might make sense to put local.pp and permissive modules into the default priority. It could be very confusing to have these exist in multiple priorities.

>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
-- James Carter <jwcart2@tycho.nsa.gov> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.