Would it be possible to allow constraints in modules?
I think it would be ideal if the difference between a MLS system and an MCS
system was a single module containing constraints.
Also I think it would be good to have the option of adding additional modules
to impose extra constraints. For example I would like to have an optional
module to use MCS for network access controls. Also the possibility of having
an optional constraints module that allows UBAC to be used for a Play Machine
would be good.
--
russell at coker.com.au
http://etbe.coker.com.au/ My Main Blog
http://doc.coker.com.au/ My Documents Blog
On Sat, 2010-05-29 at 21:55 +1000, Russell Coker wrote:
> Would it be possible to allow constraints in modules?
No, not with the current toolchain.
> I think it would be ideal if the difference between a MLS system and an MCS
> system was a single module containing constraints.
While I would agree, there are other issues. The MLS information for
labeling, range_transitions, users, etc. would also have to be enabled
on all modules, and then stripped if MLS is disabled. On top of that
how would you handle MLS vs. MCS since they use the same (MLS) field?
--
Chris PeBenito
<[email protected]>
Developer,
Hardened Gentoo Linux
On Tuesday 01 June 2010 22:39:06 Chris PeBenito wrote:
> > I think it would be ideal if the difference between a MLS system and an
> > MCS system was a single module containing constraints.
>
> While I would agree, there are other issues. The MLS information for
> labeling, range_transitions, users, etc. would also have to be enabled
> on all modules, and then stripped if MLS is disabled. On top of that
> how would you handle MLS vs. MCS since they use the same (MLS) field?
Most modules don't have anything special in relation to MCS or MLS, it's all
TE.
For the modules that do something special you could have two optional
sections, one for MCS and one for MLS. Just as a module can have optional
sections for MySQL and PostgreSQL and use the one that's installed a module
can use MCS or MLS depending on which is installed. The only difference being
that removing one of MCS/MLS and installing the other would have to be be an
atomic operation. For the sake of sanity I suggest not having
mcs/constraints.pp and mls/constraints.pp.