Toshiharu Harada
harad****@gmail*****
Sat Aug 27 08:56:49 JST 2011
Jamie's summary helped me. Thanks a lot >Jamie I have no firm objections as Jamie, either. But I've been wondering if TOMOYO really needs new directives while "aggregator" is available. I assume the new suggestions include several different purposes/advantages. What seems to be most important to you? >Tetsuo (Eliminating needs to synchronize the exception policy? I guess) 2011/8/27 Jamie Nguyen <jamie �� tomoyolinux.co.uk>: > Tetsuo Handa wrote: >> Jamie Nguyen wrote: >>> Is my understanding correct? >> >> Yes. > > Great. While I have no firm objections, here are some of my initial thoughts. > > In the example I gave, 5 lines are saved from exception policy. This > is good, but personally, I find exception policy to be very powerful > and I use it whenever possible. Supposing you have "keep_domain > /bin/cat from any" in exception policy. If you change your mind and > then want /bin/cat to cause a domain transition in many domains, it is > a matter of deleting a single line. Supposing instead that you have > "file execute /bin/cat keep" in many domains, changing your mind in > this case requires many lines to be changed. A simple sed could be > used of course, but the point I'm making is the convenience of > exception policy. > > Correct me if I'm wrong, but two of the main reasons for the creation > exception policy are for the centralization of policy and for the > convenience of making changes to many domains. For example, instead of > having "/dev/sr0" in many domains, you can have "@DVD_DRIVE" instead > and only have to change one entry in exception policy if the device > ever changes. Without centralizing into exception policy, many lines > are required to be changed. Again, a simple sed could be used, but I > personally feel that (in the interests of code simplicity) the > addition of more directives/arguments/options into domain policy is > not necessary when exception policy is coping just fine. > > Having said that, I'm ready to be convinced otherwise ;-) >From another "ready to be convinced". :-)
TOMOYO
Fork