[refpolicy] Parsing Binary Ref Policy
Christopher J. PeBenito
cpebenito at tresys.com
Fri Aug 29 07:12:12 CDT 2008
On Thu, 2008-08-28 at 23:54 -0400, Hong wrote:
> I am trying to parse the refpolicy under ubuntu 8.04. I
> used /etc/selinux/refplicy/policy/policy.22. The size of the binary
> policy is about 360K(accurate size is 360296).
>
> Then I use "dispol" tool in checkpolicy to parse the policy. However
> I feel that the parsing result is not correct. There are many
> domains missing in the parse result. There is no htttpd domain, no
> ftpd domain...
>
> And the access vector really confuses me. For example, I think the
> domain insmod_t should be entered through insmod, rmmod, ... But from
> the policy, domain insmod_t has the entrypoint privilege over a lot
> of types: hplip_etc_t, lpd_tmp_t, proc_afs_t, pam_tmp_t, ... (there
> are more than 300 of them).
>
> Did I do anything wrong? And if I am getting the correct binary
> policy, why the entrypoint privilege is configure this way?
The insmod_t domain has the entrypoint permission on all files because
it is unconfined in the ubuntu policy.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
More information about the refpolicy
mailing list