On Mon, Jul 13, 2015 at 03:02:55PM +0200, Sven Vermeulen wrote: > On Mon, Jul 13, 2015 at 1:31 PM, Jason Zaman <perfin...@gentoo.org> wrote: > > Secondly, related to "poor support for preserving local changes across > > system updates". The tools now have the concept of priority so users can > > easy completely replace a distro-provided module at a higher priority > > (semodule -X 900 -i foo.pp). I haven't (yet) updated our selinux eclass > > to install at a lower priority but will hopefully do that soon. > > We work with the default 400 (100 is for the migrated modules). Do you > see a reason why we have to explicitly support a particular priority > in our eclass?
Hmm. I thought the point of the priorities was that things the user has done should be separate from what the distro provides. Either the distro uses 400 and any overrides the user does in a higher level or we change the eclass to use a lower level and the user gets the default. That way its easier for the user to see what customizations have been made. I was going to make a patch first then discuss but the basic idea was to semodule -X 100 -i $MOD.pp then remove the module from level 400 afterwards if it exists. Thoughts? And if we do, do we want to use level 100? 200? -- Jason
