From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Fri, 29 Aug 2008 08:12:12 -0400 Subject: [refpolicy] Parsing Binary Ref Policy In-Reply-To: References: Message-ID: <1220011932.22710.29.camel@gorn.columbia.tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, 2008-08-28 at 23:54 -0400, Hong wrote: > I am trying to parse the refpolicy under ubuntu 8.04. I > used /etc/selinux/refplicy/policy/policy.22. The size of the binary > policy is about 360K(accurate size is 360296). > > Then I use "dispol" tool in checkpolicy to parse the policy. However > I feel that the parsing result is not correct. There are many > domains missing in the parse result. There is no htttpd domain, no > ftpd domain... > > And the access vector really confuses me. For example, I think the > domain insmod_t should be entered through insmod, rmmod, ... But from > the policy, domain insmod_t has the entrypoint privilege over a lot > of types: hplip_etc_t, lpd_tmp_t, proc_afs_t, pam_tmp_t, ... (there > are more than 300 of them). > > Did I do anything wrong? And if I am getting the correct binary > policy, why the entrypoint privilege is configure this way? The insmod_t domain has the entrypoint permission on all files because it is unconfined in the ubuntu policy. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150