From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Wed, 3 Dec 2014 09:44:56 -0500 Subject: [refpolicy] Syntax fixes in contrib In-Reply-To: <1417617210.29096.4.camel@joe.localdomain> References: <1416983956-8770-1-git-send-email-jason@perfinion.com> <547DDB5A.3000307@tresys.com> <20141202161542.GA16393@e145.network2> <547ED76D.5010709@redhat.com> <1417617210.29096.4.camel@joe.localdomain> Message-ID: <547F21E8.60002@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/3/2014 9:33 AM, Dominick Grift wrote: > On Wed, 2014-12-03 at 10:27 +0100, Miroslav Grepl wrote: > >>>>> >>> The problem with the admin interfaces (any interfaces for that matter) is that unless they are called they aren't tested. >>> >>> This is also one of the reasons why i prefer only adding interfaces that are actually used. >>> >>> On that other hand, adding interfaces even if they aren't used does make sense for audit2allow/sepolgen-ifgen, and for the confined admin support >>> >>> > > >> We have tests for testing these _admin() interfaces in RHEL. I believe >> we could add them to Fedora to have them available. > > Could be interesting. I fear however that the tests aren't going to be > the problem, but rather running them consistently when a unused > interface is added. > > I might be wrong with that assumption though In the long run I'm not really concerned, as there will eventually be a refpolicy->CIL compiler[1], which would do syntax checking on interfaces, since they would be proper language constructs, instead of macros. [1] https://bitbucket.org/jwcarter/fpp -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com