From: russell@coker.com.au (Russell Coker) Date: Fri, 2 Jul 2010 11:15:11 +1000 Subject: [refpolicy] constraints as modules In-Reply-To: <1275395946.2995.5.camel@defiant> References: <201005292155.07061.russell@coker.com.au> <1275395946.2995.5.camel@defiant> Message-ID: <201007021115.11603.russell@coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tuesday 01 June 2010 22:39:06 Chris PeBenito wrote: > > I think it would be ideal if the difference between a MLS system and an > > MCS system was a single module containing constraints. > > While I would agree, there are other issues. The MLS information for > labeling, range_transitions, users, etc. would also have to be enabled > on all modules, and then stripped if MLS is disabled. On top of that > how would you handle MLS vs. MCS since they use the same (MLS) field? Most modules don't have anything special in relation to MCS or MLS, it's all TE. For the modules that do something special you could have two optional sections, one for MCS and one for MLS. Just as a module can have optional sections for MySQL and PostgreSQL and use the one that's installed a module can use MCS or MLS depending on which is installed. The only difference being that removing one of MCS/MLS and installing the other would have to be be an atomic operation. For the sake of sanity I suggest not having mcs/constraints.pp and mls/constraints.pp.