Number of roles reported by checkpolicy

Number of roles reported by checkpolicy

[Faye Coker]

Running checkpolicy shows I have 4 users and 5 roles:

faye@kaos:/etc/selinux$ checkpolicy
checkpolicy:  loading policy configuration from policy.conf
security:  4 users, 5 roles, 683 types
security:  29 classes, 71806 rules

however, I can only see four roles:

faye@kaos:/etc/selinux$ grep ^role policy.conf|cut -f2 "-d "|sort -u
staff_r
sysadm_r
system_r
user_r

Any ideas as to why checkpolicy is reporting five roles, when I can only see 
four?

faye
--
Faye Coker
faye@lurking-grue.org



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Number of roles reported by checkpolicy

[Stephen Smalley]

On Mon, 2003-10-20 at 05:00, Faye Coker wrote:
> Running checkpolicy shows I have 4 users and 5 roles:
> 
> faye@kaos:/etc/selinux$ checkpolicy
> checkpolicy:  loading policy configuration from policy.conf
> security:  4 users, 5 roles, 683 types
> security:  29 classes, 71806 rules
> 
> however, I can only see four roles:
> 
> faye@kaos:/etc/selinux$ grep ^role policy.conf|cut -f2 "-d "|sort -u
> staff_r
> sysadm_r
> system_r
> user_r
> 
> Any ideas as to why checkpolicy is reporting five roles, when I can only see 
> four?

You are forgetting the secret nsa_has_all_power role.  Oops, nevermind.
Actually, that would be the implicitly defined object_r role for objects
that is being counted.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Number of roles reported by checkpolicy

[David Caplan]

Faye Coker wrote:
> Running checkpolicy shows I have 4 users and 5 roles:
> 
> faye@kaos:/etc/selinux$ checkpolicy
> checkpolicy:  loading policy configuration from policy.conf
> security:  4 users, 5 roles, 683 types
> security:  29 classes, 71806 rules
> 
> however, I can only see four roles:
> 
> faye@kaos:/etc/selinux$ grep ^role policy.conf|cut -f2 "-d "|sort -u
> staff_r
> sysadm_r
> system_r
> user_r
> 
> Any ideas as to why checkpolicy is reporting five roles, when I can only see 
> four?
> 

object_r is inserted as the first role into the role table (see 
roles_init() in .../checkpolicy/policydb.c) when the policy database is 
initialized.

David

__________________________________

David Caplan     410 290 1411 x105
dac@tresys.com
Tresys Technology, LLC
8840 Stanford Blvd., Suite 2100
Columbia, MD 21045


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.