From mboxrd@z Thu Jan 1 00:00:00 1970 Subject: Re: why base.pp has attribute and policy.* not From: Stephen Smalley To: Ken YANG Cc: selinux@tycho.nsa.gov In-Reply-To: <4607B26D.7030307@gmail.com> References: <4607B26D.7030307@gmail.com> Content-Type: text/plain Date: Mon, 26 Mar 2007 08:57:09 -0400 Message-Id: <1174913829.3864.27.camel@moss-spartans.epoch.ncsc.mil> Mime-Version: 1.0 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov On Mon, 2007-03-26 at 19:45 +0800, Ken YANG wrote: > when i run apol with policy.*(monolithic), it always complaint: > > Warning: Apol has generated attribute name because the original > names were not presented in the policy. > > but when run apol with base.pp(modular), there is not warning > at all, and apol show all the attributes, not the one, such as > "@ttr0002 (0 types)" > > in Rules.monolithic and Rules.modular, policy.* and base.mod are > all generated by checkpolicy with same parameters: > > $(verbose) $(CHECKPOLICY) $^ -o $@ > > but after semodule_pacage packages base.mod, base.pp has attribute, > and policy.* not, why? The attributes are removed from the types symbol table before writing out the kernel binary policy format because the kernel has no need for those symbols for runtime operation and relies upon the types symbol table only containing valid types for e.g. context validation. The policy module format has that information because it is needed for linking and expanding policy modules. The kernel representation originally had no notion of type attributes at all, with all attributes fully expanded to their type sets by the policy compiler when generating the kernel policy; later, support was added for storing a type-to-attribute reverse mapping in the kernel representation and the kernel was changed to leverage that mapping to allow the access vector table (e.g. allow rules) to be more compact when rules are specified in terms of attributes. But even that didn't require retaining the attributes in the types symbol table. Some prior discussions: http://marc.info/?l=selinux&m=111962389000504&w=2 http://marc.info/?l=selinux&m=112266531009712&w=2 http://marc.info/?l=selinux&m=112351688414526&w=2 -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.