> -----Original Message----- > From: Stephen Smalley [mailto:sds@xxxxxxxxxxxxx] > Sent: Wednesday, January 27, 2010 2:40 PM > To: Caleb Case > Cc: selinux@xxxxxxxxxxxxx; Chad Sellers; Karl MacMillan; > jwcart2@xxxxxxxxxxxxx; Joshua Brindle > Subject: Re: [PATCH 01/15] [src-policy] refpol language and tools > > On Tue, 2010-01-26 at 17:08 -0500, Caleb Case wrote: > > [refpol Language] > > > > The refpol language is a simple transformation of a standard Reference > > Policy module consisting of 3 files to a single file format with > > sections. Each Reference Policy file is placed into a refpol section as > > follows: > > > > <module>.if => [interface] > > <module>.te => [policy] > > <module>.fc => [context] > > > > * These are the only valid section headers. > > > > * A section begins with a section marker and ends with the next marker > > encountered or the end of the file. > > > > * If a file has at least one section marker and there is text before the > > first section then this is an error. > > > > * There can be at most one of each valid section marker in a file. > > > > * A file without any section markers is assumed to be only policy. > > > > * The valid contents of each section are the same as for the separate > > reference policy files. > > > > * The standard filename extension is '.ref'. > > > > [refpol Tool] > > > > The refpol tool can create a refpol module from a Reference Policy > > module. > > > > Usage: refpol COMMAND [OPTIONS] MODULE.ref > > > > Commands: > > create create a new refpol > > extract extract .if, .te, and .fc files from a refpol > > > > Options: > > --version show program's version number and exit > > -h, --help show this help message and exit > > -f, --force force overwriting existing files > > > > Create options: > > -i FILE, --interface=FILE > > interface file > > -p FILE, --policy=FILE > > policy file > > -c FILE, --context=FILE > > context file > > > > Example: > > > > # refpol create -i alsa.if -p alsa.te -c alsa.fc alsa.ref > > > > refpol modules should have the '.ref' extension. The resulting alsa.ref > > looks like this: > > > > [interface] > > > > policy_module(alsa, 1.8.0) > > The policy_module() declaration in existing modules is in their .te > file, not their .if file. > > If you are going to move up the declaration, then: > a) What you say earlier about the mapping of the current files and the > valid contents of the sections is not entirely accurate, and > b) Wouldn't it make more sense to move the declaration to the very > beginning before the three sections, as it pertains to all three? Sorry, this is a typo. I seem to have swapped the [policy] and [interface] sections. The tool doesn't move the policy_module statement. > > > > > ######################################## > > # > > # Declarations > > # > > <snip> > > > > [policy] > > ## <summary>Ainit ALSA configuration tool</summary> > > <snip> > > > > [context] > > /bin/alsaunmute -- > gen_context(system_u:object_r:alsa_exec_t,s0) > > <snip> > > > > [refpol HLL compiler] > > > > The refpolc high level language (HLL) compiler performs basic formatting > > checks and extracts the policy version from the policy_module statement. > > > > Usage: refpolc [OPTIONS] [MODULE] > > > > Input is read from stdin unless MODULE is provided. > > Output is written to stdout unless -o is specified. > > > > Options: > > --version show program's version number and exit > > -h, --help show this help message and exit > > -f, --force force overwriting existing files > > -o FILE, --output=FILE > > output file > > > > Example: > > > > # refpolc < apache.ref > apache.cil 3<> apache.version > > -- > Stephen Smalley > National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
