RE: couple validatetrans questions

["Frank Mayer" <mayerf@xxxxxxxxxx>]

>> A trivial code change to make assuming there hasn't been extensive
>> use of validatetrans/mlsvalidatetrans. Until then I guess I'll just
>> have to work harder at explaining the subtle difference.
> 
> Not clear that this is justified, and would require a coordinated
> kernel change. 

I too am unsure that the change is justified (I know it would have been
easier if I caught it earlier). Just so you know, it became obvious when
writing a chapter on constraints and trying to make a single table for all
operators and their possible arguments, that I could not simply use the same
table for constrain and validatetrans statements since the semantic meaning
for t1 changed between the two. That's the conceptual barrier to
understanding I mentioned.

Nonetheless I agree with the philosophy to not change a semantic unless
there is a compelling reason and I'm not sure there is one. It'll just make
my chapter longer ;-) 

Frank



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.