Re: [2.6 patch] selinux: possible cleanups

[Stephen Smalley]

On Sun, 2004-11-28 at 14:01, Adrian Bunk wrote:
> The patch below contains the following possible cleanups:
> - make needlessly global code static
> - remove the following unused global functions:
>   - avc.c: avc_ss_grant
>   - avc.c: avc_ss_try_revoke
>   - avc.c: avc_ss_revoke
>   - avc.c: avc_ss_set_auditallow
>   - avc.c: avc_ss_set_auditdeny

These functions are part of an overall interface between the AVC and the
security server designed to support dynamic security policy
requirements, based on prior studies including some formal analysis. 
While the example security server does not presently use anything other
than avc_ss_reset, I'd be hesitant to completely remove the rest of the
interface, as that will leave a far less functional interface for future
security servers and may lead to further "optimization" of the AVC that
will preclude support for dynamic policy requirements (or at least make
it much harder to restore such support).

>   - ss/services.c: security_member_sid

There are patches under development for SELinux that make use of this
function, including exporting the interface to userspace via selinuxfs
and using it in-kernel for polyinstantiation.

-- 
Stephen Smalley <sds@xxxxxxxxxxxxxx>
National Security Agency

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/