Re: What's a module exactly? - Christopher J. PeBenito

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Christopher J. PeBenito" <cpebenito@tresys.com>
To: dE <de.techno@gmail.com>, <selinux@tycho.nsa.gov>
Subject: Re: What's a module exactly?
Date: Mon, 5 May 2014 07:55:27 -0400	[thread overview]
Message-ID: <53677C2F.7020800@tresys.com> (raw)
In-Reply-To: <53665D05.6070403@gmail.com>

On 05/04/2014 11:30 AM, dE wrote:
> I'm trying to verify what I think cause I've not read about this yet --
> 
> A SELinux 'module' is like a C object file; each module has a purpose of defining policies for a certain program.
> 
> Each module may be made a separate policy or many modules can be integrated into one policy file (like what Fedora has done).

If you're talking about modules as in .pp files, then yes, they're a similar concept to C object code.  Each module has a chunk of policy, and then all the modules are linked together to create the final policy.2x.  There has to be at least one module in the policy, the base module.  It is special in that all of the unconditional (not optional) dependencies must be met.  There are also statements that only can exist the base module, such as portcon, genfscon, and others.  Otherwise, what is actually contained in each module is up to the policy writer.  The modules tend to correspond to software packages.  For example, in Reference Policy, there is an apache module which should constrain apache, a samba module for samba, etc.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

next prev parent reply	other threads:[~2014-05-05 11:54 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-05-04 15:30 What's a module exactly? dE
2014-05-05 11:55 ` Christopher J. PeBenito [this message]
2014-05-06  5:45   ` dE

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=53677C2F.7020800@tresys.com \
    --to=cpebenito@tresys.com \
    --cc=de.techno@gmail.com \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.