LinuxLists.cc - [refpolicy] flask.py and its stuff

2013-11-25 09:30:04

Subject: [refpolicy] flask.py and its stuff

Hello.

My main target is to write my own policy.
My policy is some kind simple than refpolicy.
I took files access_vectors, initial_sids, security_classes from refpolicy.
Within time I do changes to above files.
Now I have stuck with them and with
selinux-policy.git/plain/policy/flask/flask.py
I have few questions.

1. PURPOSE.
What is the purpose of selinux-policy.git/plain/policy/flask/flask.py
script?
Does `flask.py' take access_vectors, initial_sids, security_classes as
an input ?
Does `flask.py' generate access_vectors, initial_sids, security_classes
files?

2. KERNEL SIDE
I can see that
* Nowadays kernels use only file:
security/selinux/include/initial_sid_to_string.h:1:/* This file is
automatically generated. Do not edit. */
* Early kernels uses also:
security/selinux/include/av_inherit.h:1:/* This file is automatically
generated. Do not edit. */
security/selinux/include/av_perm_to_string.h:1:/* This file is
automatically generated. Do not edit. */
security/selinux/include/av_permissions.h:1:/* This file is
automatically generated. Do not edit. */
security/selinux/include/class_to_string.h:1:/* This file is
automatically generated. Do not edit. */
security/selinux/include/common_perm_to_string.h:1:/* This file is
automatically generated. Do not edit. */
security/selinux/include/flask.h:1:/* This file is automatically
generated. Do not edit. */
security/selinux/include/initial_sid_to_string.h:1:/* This file is
automatically generated. Do not edit. */
Do I need rebuild kernel if :
My file `initial_sids' is the same as in refpolicy.
&
My files `access_vectors' and `security_classes' has been changed by me.
?

3. LIBSELINUX SIDE
libselinux has files as part of it:

$ grep -rn 'This file is auto' .
./include/selinux/av_permissions.h:1:/* This file is automatically
generated. Do not edit. */
./include/selinux/flask.h:1:/* This file is automatically generated. Do
not edit. */
./src/av_inherit.h:1:/* This file is automatically generated. Do not
edit. */
./src/av_perm_to_string.h:1:/* This file is automatically generated. Do
not edit. */
./src/class_to_string.h:1:/* This file is automatically generated. Do
not edit. */
./src/common_perm_to_string.h:1:/* This file is automatically
generated. Do not edit. */
Does it mean, that I need to:
* generate above headers with flask.py sript?
* rebuild libselinux each time with new generated headers ?

2013-12-11 08:00:03

by Andrew V. Stepanov

[permalink] [raw]

Subject: [refpolicy] flask.py and its stuff

25.11.13, 13:30, Andrew V. Stepanov ?????:
> Hello.
>
> My main target is to write my own policy.
> My policy is some kind simple than refpolicy.
> I took files access_vectors, initial_sids, security_classes from
> refpolicy.
> Within time I do changes to above files.
> Now I have stuck with them and with
> selinux-policy.git/plain/policy/flask/flask.py
> I have few questions.
>
> 1. PURPOSE.
> What is the purpose of selinux-policy.git/plain/policy/flask/flask.py
> script?
> Does `flask.py' take access_vectors, initial_sids, security_classes as
> an input ?
> Does `flask.py' generate access_vectors, initial_sids,
> security_classes files?
>
> 2. KERNEL SIDE
> I can see that
> * Nowadays kernels use only file:
> security/selinux/include/initial_sid_to_string.h:1:/* This file is
> automatically generated. Do not edit. */
> * Early kernels uses also:
> security/selinux/include/av_inherit.h:1:/* This file is automatically
> generated. Do not edit. */
> security/selinux/include/av_perm_to_string.h:1:/* This file is
> automatically generated. Do not edit. */
> security/selinux/include/av_permissions.h:1:/* This file is
> automatically generated. Do not edit. */
> security/selinux/include/class_to_string.h:1:/* This file is
> automatically generated. Do not edit. */
> security/selinux/include/common_perm_to_string.h:1:/* This file is
> automatically generated. Do not edit. */
> security/selinux/include/flask.h:1:/* This file is automatically
> generated. Do not edit. */
> security/selinux/include/initial_sid_to_string.h:1:/* This file is
> automatically generated. Do not edit. */
> Do I need rebuild kernel if :
> My file `initial_sids' is the same as in refpolicy.
> &
> My files `access_vectors' and `security_classes' has been changed by me.
> ?
>
> 3. LIBSELINUX SIDE
> libselinux has files as part of it:
>
> $ grep -rn 'This file is auto' .
> ./include/selinux/av_permissions.h:1:/* This file is automatically
> generated. Do not edit. */
> ./include/selinux/flask.h:1:/* This file is automatically generated.
> Do not edit. */
> ./src/av_inherit.h:1:/* This file is automatically generated. Do not
> edit. */
> ./src/av_perm_to_string.h:1:/* This file is automatically generated.
> Do not edit. */
> ./src/class_to_string.h:1:/* This file is automatically generated. Do
> not edit. */
> ./src/common_perm_to_string.h:1:/* This file is automatically
> generated. Do not edit. */
> Does it mean, that I need to:
> * generate above headers with flask.py sript?
> * rebuild libselinux each time with new generated headers ?
>

Please, could somebody give some comments to above message ?