On 05/05/14 17:25, Christopher J. PeBenito wrote:
On 05/04/2014 11:30 AM, dE wrote:
I'm trying to verify what I think cause I've not read about this yet --
A SELinux 'module' is like a C object file; each module has a purpose of defining policies for a certain program.
Each module may be made a separate policy or many modules can be integrated into one policy file (like what Fedora has done).
If you're talking about modules as in .pp files, then yes, they're a similar concept to C object code. Each module has a chunk of policy, and then all the modules are linked together to create the final policy.2x. There has to be at least one module in the policy, the base module. It is special in that all of the unconditional (not optional) dependencies must be met. There are also statements that only can exist the base module, such as portcon, genfscon, and others. Otherwise, what is actually contained in each module is up to the policy writer. The modules tend to correspond to software packages. For example, in Reference Policy, there is an apache module which should constrain apache, a samba module for samba, etc.
Thanks for clarifying that!
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.