On Wed, 2008-08-20 at 17:45 -0400, David P. Quigley wrote: > On Wed, 2008-08-20 at 14:48 -0700, Casey Schaufler wrote: > > David P. Quigley wrote: > > > Back in August of 2006 Serge posted a patch to this list which generates > > > a bare minimum policy based on the flask definition headers in the Linux > > > kernel tree. While I was at OLS someone had mentioned that they wanted > > > an easy way to generate a bare minimum policy that they could then carve > > > up as they wanted. I have taken Serge's patch and have updated it to > > > work with the latest Linux Kernel. > > > > > > For those interested in the changes there were only two significant > > > changes. The first is that the iteration through the list of classes > > > used NULL as a sentinel value. The problem with this is that the > > > class_to_string array actually has NULL entries in its table as place > > > holders for the user space object classes. > > > > > > The second change was that it would seem at some point the initial sids > > > table was NULL terminated. This is no longer the case so that iteration > > > has to be done on array length instead of looking for NULL. > > > > > > Some statistics on the policy that it generates: > > > > > > The policy consists of 523 lines which contain no blank lines. Of those > > > 523 lines 453 of them are class, permission, and initial sid > > > definitions. These lines are usually little to no concern to the policy > > > developer since they will not be adding object classes or permissions. > > > Of the remaining 70 lines there is one type, one role, and one user > > > statement. The remaining lines are broken into three portions. The first > > > group are TE allow rules which make up 29 of the remaining lines, the > > > second is assignment of labels to the initial sids which consist of 27 > > > lines, and file system labeling statements which are the remaining 11. > > > > > > In addition to the policy.conf generated there is a single file_contexts > > > file containing two lines which labels the entire system with base_t. > > > > > > This policy generates a policy.23 binary that is 7920 bytes. > > > > > > Dave > > > > > > > Thank you. I noticed that class "capability2" is defined but > > never used. Is this intentional? > > Ok here is a fixed version of the program. It increases the TE allow > rules to 47 from 29 so it isn't much larger and increases the policy.23 > file to 8136 bytes. > > Dave OK, so in testing this policy I ran into a small idiocincracy of policy creation. I was under the false assumption that I could strip out the user space object classes. This is not the case so I will fix up the program once again to emit fake names for the user space object classes. Dave -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.