Stephen Frost wrote:
> KaiGai,
>
<snip>
> I do think that, technically, there's no reason we couldn't allow for
> multiple "only-more-restrictive" models to be enabled and built in a
> single binary for systems which support it. As such, I would make those
> just "#if defined()" rather than "#elif". Let it be decided at runtime
> which are actually used, otherwise it becomes a much bigger problem for
> packagers too.
>
It isn't just a case of using #if and it magically working. You'd need a
system to manage multiple labels on each object that can be addressed by
different systems. So instead of having an object mapped only to
"system_u:object_r:mydb_t:s15" you'd also have to have it mapped to,
eg., "^" for Smack.