why base.pp has attribute and policy.* not

why base.pp has attribute and policy.* not

[Ken YANG]

when i run apol with policy.*(monolithic), it always complaint:

Warning: Apol has generated attribute name because the original
names were not presented in the policy.

but when run apol with base.pp(modular), there is not warning
at all, and apol show all the attributes, not the one, such as
"@ttr0002 (0 types)"

in Rules.monolithic and Rules.modular, policy.* and base.mod are
all generated by checkpolicy with same parameters:

$(verbose) $(CHECKPOLICY) $^ -o $@

but after semodule_pacage packages base.mod, base.pp has attribute,
and policy.* not, why?

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: why base.pp has attribute and policy.* not

[Stephen Smalley]

On Mon, 2007-03-26 at 19:45 +0800, Ken YANG wrote:
> when i run apol with policy.*(monolithic), it always complaint:
> 
> Warning: Apol has generated attribute name because the original
> names were not presented in the policy.
> 
> but when run apol with base.pp(modular), there is not warning
> at all, and apol show all the attributes, not the one, such as
> "@ttr0002 (0 types)"
> 
> in Rules.monolithic and Rules.modular, policy.* and base.mod are
> all generated by checkpolicy with same parameters:
> 
> $(verbose) $(CHECKPOLICY) $^ -o $@
> 
> but after semodule_pacage packages base.mod, base.pp has attribute,
> and policy.* not, why?

The attributes are removed from the types symbol table before writing
out the kernel binary policy format because the kernel has no need for
those symbols for runtime operation and relies upon the types symbol
table only containing valid types for e.g. context validation.  The
policy module format has that information because it is needed for
linking and expanding policy modules.

The kernel representation originally had no notion of type attributes at
all, with all attributes fully expanded to their type sets by the policy
compiler when generating the kernel policy; later, support was added for
storing a type-to-attribute reverse mapping in the kernel representation
and the kernel was changed to leverage that mapping to allow the access
vector table (e.g. allow rules) to be more compact when rules are
specified in terms of attributes.  But even that didn't require
retaining the attributes in the types symbol table.  Some prior
discussions:
http://marc.info/?l=selinux&m=111962389000504&w=2
http://marc.info/?l=selinux&m=112266531009712&w=2
http://marc.info/?l=selinux&m=112351688414526&w=2

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: why base.pp has attribute and policy.* not

[Ken YANG]

Stephen Smalley wrote:
> On Mon, 2007-03-26 at 19:45 +0800, Ken YANG wrote:
>> when i run apol with policy.*(monolithic), it always complaint:
>>
>> Warning: Apol has generated attribute name because the original
>> names were not presented in the policy.
>>
>> but when run apol with base.pp(modular), there is not warning
>> at all, and apol show all the attributes, not the one, such as
>> "@ttr0002 (0 types)"
>>
>> in Rules.monolithic and Rules.modular, policy.* and base.mod are
>> all generated by checkpolicy with same parameters:
>>
>> $(verbose) $(CHECKPOLICY) $^ -o $@
>>
>> but after semodule_pacage packages base.mod, base.pp has attribute,
>> and policy.* not, why?
> 
> The attributes are removed from the types symbol table before writing
> out the kernel binary policy format because the kernel has no need for
> those symbols for runtime operation and relies upon the types symbol
> table only containing valid types for e.g. context validation.  The
> policy module format has that information because it is needed for
> linking and expanding policy modules.
> 
> The kernel representation originally had no notion of type attributes at
> all, with all attributes fully expanded to their type sets by the policy
> compiler when generating the kernel policy; later, support was added for
> storing a type-to-attribute reverse mapping in the kernel representation
> and the kernel was changed to leverage that mapping to allow the access
> vector table (e.g. allow rules) to be more compact when rules are
> specified in terms of attributes.  But even that didn't require
> retaining the attributes in the types symbol table.  Some prior
> discussions:
> http://marc.info/?l=selinux&m=111962389000504&w=2
> http://marc.info/?l=selinux&m=112266531009712&w=2
> http://marc.info/?l=selinux&m=112351688414526&w=2

i am awfully sorry for forgetting to search archives before asking
questions.

it have followed these discussions, and it seems to need some times
to understand completely :-)



> 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.