Jamie Nguyen
jamie****@tomoy*****
Sat Aug 27 08:28:17 JST 2011
Tetsuo Handa wrote: > Jamie Nguyen wrote: >> Is my understanding correct? > > Yes. Great. While I have no firm objections, here are some of my initial thoughts. In the example I gave, 5 lines are saved from exception policy. This is good, but personally, I find exception policy to be very powerful and I use it whenever possible. Supposing you have "keep_domain /bin/cat from any" in exception policy. If you change your mind and then want /bin/cat to cause a domain transition in many domains, it is a matter of deleting a single line. Supposing instead that you have "file execute /bin/cat keep" in many domains, changing your mind in this case requires many lines to be changed. A simple sed could be used of course, but the point I'm making is the convenience of exception policy. Correct me if I'm wrong, but two of the main reasons for the creation exception policy are for the centralization of policy and for the convenience of making changes to many domains. For example, instead of having "/dev/sr0" in many domains, you can have "@DVD_DRIVE" instead and only have to change one entry in exception policy if the device ever changes. Without centralizing into exception policy, many lines are required to be changed. Again, a simple sed could be used, but I personally feel that (in the interests of code simplicity) the addition of more directives/arguments/options into domain policy is not necessary when exception policy is coping just fine. Having said that, I'm ready to be convinced otherwise ;-)
TOMOYO
Fork