From: russell@coker.com.au (Russell Coker)
Date: Fri, 2 Jul 2010 11:15:11 +1000
Subject: [refpolicy] constraints as modules
In-Reply-To: <1275395946.2995.5.camel@defiant>
References: <201005292155.07061.russell@coker.com.au>
	<1275395946.2995.5.camel@defiant>
Message-ID: <201007021115.11603.russell@coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tuesday 01 June 2010 22:39:06 Chris PeBenito wrote:
> > I think it would be ideal if the difference between a MLS system and an
> > MCS system was a single module containing constraints.
> 
> While I would agree, there are other issues.  The MLS information for
> labeling, range_transitions, users, etc. would also have to be enabled
> on all modules, and then stripped if MLS is disabled.  On top of that
> how would you handle MLS vs. MCS since they use the same (MLS) field?

Most modules don't have anything special in relation to MCS or MLS, it's all 
TE.

For the modules that do something special you could have two optional 
sections, one for MCS and one for MLS.  Just as a module can have optional 
sections for MySQL and PostgreSQL and use the one that's installed a module 
can use MCS or MLS depending on which is installed.  The only difference being 
that removing one of MCS/MLS and installing the other would have to be be an 
atomic operation.  For the sake of sanity I suggest not having 
mcs/constraints.pp and mls/constraints.pp.