Re: [PATCH v6 1/2] selinux: add brief info to policydb
From: Sebastien Buisson
Date: Wed May 24 2017 - 11:27:08 EST
2017-05-23 21:11 GMT+02:00 Paul Moore <paul@xxxxxxxxxxxxxx>:
> On Tue, May 23, 2017 at 12:29 PM, Sebastien Buisson
> <sbuisson.ddn@xxxxxxxxx> wrote:
>> Another way could be to add another hook to check policy brief info
>> validity. It would take a string as an input parameter, and return 0
>> if it matches the current policy. So Lustre client code would
>> systematically call this hook, and only call security_policydb_brief()
>> when the policy has changed, to store the current value internally.
>
> I'm not sure I like this approach as much as the one above, for a
> variety of reasons. Is this option more desirable from a Lustre point
> of view?
It is true that now that the notification code is present in the
selinux/next branch, it is worth using it. I was thinking, but I may
be wrong, that future inclusion of this series of patches in some
distributions' kernels like CentOS or RedHat would be easier if it did
not have dependencies on other patches. This is why I thought about an
alternative solution.
Technically speaking, the solution based on notifications can fit the
Lustre needs, letting Lustre maintain its own sequence number as you
suggest.
Sebastien.