On Fri, Apr 10, 2009 at 08:45:06AM -0400, Stephen Smalley wrote: > On Fri, 2009-04-10 at 17:43 +0500, Alexey S wrote: > > ... > > And if libqpol-based tools would be able to use that mapping when displaying > > their results. > > Otherwise it is too confusing to see @ttr0121 instead of domain_type during policy > > analysis, especially when numbers change after module (re|un|)load. > > policy.24 already makes this change (preservation of attribute names in > the types symtab in the final kernel policy). Great! I really missed that thing. I have ever tried to hack policy compiler to write the attributes mapping to the stderr... > > You can however already see the attribute names with policy < 24 by > running apol and friends on the modular policy rather than the final > kernel policy. There are some use-cases where there is no modules on the local machine. And thus the policy is not "managed". And still it is not complete and needs some analysing/understanding. By the way, is it impossible to add some cryptographics signature to the binary policy (and perhaps to the modules)? I would like to block REloading of policies without proper signature (btw, it is very useful in the mentioned use-cases). I think it is some infrastructure piece that is missing too. -- Alexey S -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
