| 1 |
On Mon, Jul 13, 2015 at 1:31 PM, Jason Zaman <perfinion@g.o> wrote: |
| 2 |
> Overall a good article. One thing which I would also point out together |
| 3 |
> with the move to CIL is that there is now no "base" module. In the 2.3 |
| 4 |
> and earlier userlands, all the important things were in "base.pp" and |
| 5 |
> then other things were added separately as modules. One of the reasons |
| 6 |
> why modifying ports works in the 2.4 userland is that there is no more |
| 7 |
> base, it is treated just like any other module now so the limitations of |
| 8 |
> eg ports must be in base no longer apply. |
| 9 |
|
| 10 |
I'd be careful with the "no base". This heavily depends on how the |
| 11 |
userland utilities will work with the CIL, which isn't fully clarified |
| 12 |
yet. |
| 13 |
|
| 14 |
> Secondly, related to "poor support for preserving local changes across |
| 15 |
> system updates". The tools now have the concept of priority so users can |
| 16 |
> easy completely replace a distro-provided module at a higher priority |
| 17 |
> (semodule -X 900 -i foo.pp). I haven't (yet) updated our selinux eclass |
| 18 |
> to install at a lower priority but will hopefully do that soon. |
| 19 |
|
| 20 |
We work with the default 400 (100 is for the migrated modules). Do you |
| 21 |
see a reason why we have to explicitly support a particular priority |
| 22 |
in our eclass? |
| 23 |
|
| 24 |
Wkr, |
| 25 |
Sven Vermeulen |
Archives