From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from jazzdrum.ncsc.mil (zombie.ncsc.mil [144.51.88.131]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with SMTP id l2R80rmS013256 for ; Tue, 27 Mar 2007 04:00:53 -0400 Received: from nz-out-0506.google.com (jazzdrum.ncsc.mil [144.51.5.7]) by jazzdrum.ncsc.mil (8.12.10/8.12.10) with ESMTP id l2R80qMV002121 for ; Tue, 27 Mar 2007 08:00:52 GMT Received: by nz-out-0506.google.com with SMTP id z3so1634537nzf for ; Tue, 27 Mar 2007 01:00:52 -0700 (PDT) Message-ID: <4608CE1E.2030202@gmail.com> Date: Tue, 27 Mar 2007 15:56:14 +0800 From: Ken YANG MIME-Version: 1.0 To: Stephen Smalley CC: selinux@tycho.nsa.gov Subject: Re: why base.pp has attribute and policy.* not References: <4607B26D.7030307@gmail.com> <1174913829.3864.27.camel@moss-spartans.epoch.ncsc.mil> In-Reply-To: <1174913829.3864.27.camel@moss-spartans.epoch.ncsc.mil> Content-Type: text/plain; charset=UTF-8; format=flowed Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov Stephen Smalley wrote: > On Mon, 2007-03-26 at 19:45 +0800, Ken YANG wrote: >> when i run apol with policy.*(monolithic), it always complaint: >> >> Warning: Apol has generated attribute name because the original >> names were not presented in the policy. >> >> but when run apol with base.pp(modular), there is not warning >> at all, and apol show all the attributes, not the one, such as >> "@ttr0002 (0 types)" >> >> in Rules.monolithic and Rules.modular, policy.* and base.mod are >> all generated by checkpolicy with same parameters: >> >> $(verbose) $(CHECKPOLICY) $^ -o $@ >> >> but after semodule_pacage packages base.mod, base.pp has attribute, >> and policy.* not, why? > > The attributes are removed from the types symbol table before writing > out the kernel binary policy format because the kernel has no need for > those symbols for runtime operation and relies upon the types symbol > table only containing valid types for e.g. context validation. The > policy module format has that information because it is needed for > linking and expanding policy modules. > > The kernel representation originally had no notion of type attributes at > all, with all attributes fully expanded to their type sets by the policy > compiler when generating the kernel policy; later, support was added for > storing a type-to-attribute reverse mapping in the kernel representation > and the kernel was changed to leverage that mapping to allow the access > vector table (e.g. allow rules) to be more compact when rules are > specified in terms of attributes. But even that didn't require > retaining the attributes in the types symbol table. Some prior > discussions: > http://marc.info/?l=selinux&m=111962389000504&w=2 > http://marc.info/?l=selinux&m=112266531009712&w=2 > http://marc.info/?l=selinux&m=112351688414526&w=2 i am awfully sorry for forgetting to search archives before asking questions. it have followed these discussions, and it seems to need some times to understand completely :-) > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.