[Patch 0/3] Loadable policy module infrastructure

[Patch 0/3] Loadable policy module infrastructure

[Joshua Brindle]

These patches provide the infrastructure to implement loadable policy
modules in the SELinux policy compiler. They add all the module data
structures and changes to checkpolicy to build a policy by reading the
policy.conf into the module structures and then expand it into the
current policy format. This will add everything we need to implement the
loadable modules in a subsequent patch.

We attempted to match the upstream compiler behavior completely and so
there are parts of the patch that implements inconsistent logic (such as
type conflict handling for conditionals) that we plan on cleaning up
later and making consistent. 

Aside from policies with large amounts of conditional rules the policies
generated by this compiler and the current policy compiler will be
identical, this ensures that correct policies are being built. The
conditional rules are ordered differently by this patch because of the
way the conditional expressions are optimized. The policy itself is
semantically identical however.

Also, we have tested MLS policy generation and it seems to work but we'd
like some indication from someone running an MLS system that it indeed
does work correctly.

We expect to send additional patches soon; one which implements the
module language itself and another to remove * and ~ from allow rules
per a previous thread on this list.


Joshua Brindle
Tresys Technology


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.