On Oct 10, 2008, at 9:29 AM, Christopher J. PeBenito wrote:
On Fri, 2008-10-10 at 09:03 -0500, Joe Nall wrote:
On Oct 10, 2008, at 7:58 AM, Christopher J. PeBenito wrote:
On Thu, 2008-10-09 at 18:17 -0500, Joe Nall wrote:
On Oct 9, 2008, at 3:24 PM, Joshua Brindle wrote:
Joe Nall wrote:
Can someone explain the per role template implementation? I am
confused.
During policy compilation, a .mod.role file is created that just
references the roles in /usr/share/selinux/devel/include/rolemap
regardless of the roles defined via semanage. Should semanage add
roles to rolemap? Is there additional magic in semodule?
joe
Roles aren't created by semanage, only user->role mappings. The
per_role_template creates derived types for each role (eg.,
staff_mozilla_t, sysadm_mozilla_t). These roles are defined in the
policy only.
Ok. I thought the role statement just did type mapping and did not
realize there was an implicit role declaration.
I would still like an explanation of how this works and if/how new
roles are handled with respect to per role templates.
For each entry in the rolemap file, the infrastructure calls the
[modulename]_per_role_template() for each module, if it exists.
The compilation infrastructure - correct?
I should have more specific: the refpolicy build infrastructure
So to add a new role I need to add it to the rolemap and rebuild the
whole policy?
You only need to add it to the rolemap only if you want it to
automatically call all of the per_role_templates(). Otherwise you can
just call specific ones manually.
Can I use the depreciated role dominance to inherit from user_r if my
roles are supersets of user_r? There are 51 (in fedora) per role
templates that are missed with new roles - some of them are important :)
joe
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
