From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 29 Aug 2008 08:12:12 -0400
Subject: [refpolicy] Parsing Binary Ref Policy
In-Reply-To: <f00ed96d0808282054h53d50bbfg5e70f51da7e511e2@mail.gmail.com>
References: <f00ed96d0808282054h53d50bbfg5e70f51da7e511e2@mail.gmail.com>
Message-ID: <1220011932.22710.29.camel@gorn.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Thu, 2008-08-28 at 23:54 -0400, Hong wrote:
> I am trying to parse the refpolicy under ubuntu 8.04.  I
> used /etc/selinux/refplicy/policy/policy.22.  The size of the binary
> policy is about 360K(accurate size is 360296).
> 
> Then I use "dispol" tool in checkpolicy to parse the policy.  However
> I feel that the parsing result is not correct.  There are  many
> domains missing in the parse result.  There is no htttpd domain, no
> ftpd domain...
> 
> And the access vector really confuses me. For example, I think the
> domain insmod_t should be entered through insmod, rmmod, ...  But from
> the policy,  domain insmod_t has the entrypoint privilege over a lot
> of types: hplip_etc_t, lpd_tmp_t, proc_afs_t, pam_tmp_t, ... (there
> are more than 300 of them).
> 
> Did I do anything wrong?  And if I am getting the correct binary
> policy, why the entrypoint privilege is configure this way?

The insmod_t domain has the entrypoint permission on all files because
it is unconfined in the ubuntu policy.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150