From: Ken YANG <spng.yang@gmail.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: selinux@tycho.nsa.gov
Subject: Re: why base.pp has attribute and policy.* not
Date: Tue, 27 Mar 2007 15:56:14 +0800 [thread overview]
Message-ID: <4608CE1E.2030202@gmail.com> (raw)
In-Reply-To: <1174913829.3864.27.camel@moss-spartans.epoch.ncsc.mil>
Stephen Smalley wrote:
> On Mon, 2007-03-26 at 19:45 +0800, Ken YANG wrote:
>> when i run apol with policy.*(monolithic), it always complaint:
>>
>> Warning: Apol has generated attribute name because the original
>> names were not presented in the policy.
>>
>> but when run apol with base.pp(modular), there is not warning
>> at all, and apol show all the attributes, not the one, such as
>> "@ttr0002 (0 types)"
>>
>> in Rules.monolithic and Rules.modular, policy.* and base.mod are
>> all generated by checkpolicy with same parameters:
>>
>> $(verbose) $(CHECKPOLICY) $^ -o $@
>>
>> but after semodule_pacage packages base.mod, base.pp has attribute,
>> and policy.* not, why?
>
> The attributes are removed from the types symbol table before writing
> out the kernel binary policy format because the kernel has no need for
> those symbols for runtime operation and relies upon the types symbol
> table only containing valid types for e.g. context validation. The
> policy module format has that information because it is needed for
> linking and expanding policy modules.
>
> The kernel representation originally had no notion of type attributes at
> all, with all attributes fully expanded to their type sets by the policy
> compiler when generating the kernel policy; later, support was added for
> storing a type-to-attribute reverse mapping in the kernel representation
> and the kernel was changed to leverage that mapping to allow the access
> vector table (e.g. allow rules) to be more compact when rules are
> specified in terms of attributes. But even that didn't require
> retaining the attributes in the types symbol table. Some prior
> discussions:
> http://marc.info/?l=selinux&m=111962389000504&w=2
> http://marc.info/?l=selinux&m=112266531009712&w=2
> http://marc.info/?l=selinux&m=112351688414526&w=2
i am awfully sorry for forgetting to search archives before asking
questions.
it have followed these discussions, and it seems to need some times
to understand completely :-)
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
prev parent reply other threads:[~2007-03-27 8:00 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-03-26 11:45 why base.pp has attribute and policy.* not Ken YANG
2007-03-26 12:57 ` Stephen Smalley
2007-03-27 7:56 ` Ken YANG [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4608CE1E.2030202@gmail.com \
--to=spng.yang@gmail.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.