[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: .pp files



On Tue, 2006-09-19 at 19:36 +0200, Salvo Giuffrida wrote:
> So, what's now the role of the policy.number file in /etc/..../policy? Can 
> one still use the "old way" of modifying the source, and recompile into a 
> big binary file?

The policy modules are linked together and expanded into a kernel binary
policy image, which is then installed to that file for loading into the
kernel.

You don't absolutely have to use modular/managed policy, but doing so
has definite benefits, and both users and package scriptlets are
increasingly taking advantage of semodule and semanage for managing
policy in a modular way and customizing certain policy settings, and the
dependencies on it are only going to increase in the future as further
management infrastructure is created.

BTW, while the O'Reilly book predates the modular policy support
(possibly they'll issue an updated edition sometime, I don't know),
there is a newer SELinux book that includes discussion of policy modules
by people involved in their development, see:
http://selinuxnews.org/wp/index.php/2006/08/09/new-selinux-book-published/
http://mentalrootkit.org/?p=10

> Another thing, please: What's the "Object manager"?

That's a term used in the Flask security architecture, which SELinux
implements.  See:
http://www.nsa.gov/selinux/papers/flask-abs.cfm

-- 
Stephen Smalley
National Security Agency


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]