229fd05c - doc: ReSTify SELinux.txt

Sat, 13 May 2017 11:51:44 +0000

doc: ReSTify SELinux.txtAdjusts for ReST markup and moves under LSM admin guide.Cc: Paul Moore Signed-off-by: Kees Cook Signed-off-by: Jonathan Corbet List of files: /linux-6.15/scripts/selinux/README

d410fa4e - Create Documentation/security/,

Thu, 19 May 2011 22:59:38 +0000

Create Documentation/security/,move LSM-, credentials-, and keys-related files from Documentation/ to Documentation/security/,add Documentation/security/00-INDEX, andupdate all occurrences of Documentation/ to Documentation/security/. List of files: /linux-6.15/scripts/selinux/README

93c06cbb - selinux: add support for installing a dummy policy (v2)

Tue, 26 Aug 2008 19:47:57 +0000

selinux: add support for installing a dummy policy (v2)In August 2006 I posted a patch generating a minimal SELinux policy. Thisweek, David P. Quigley posted an updated version of that as a patch againstthe kernel. It also had nice logic for auto-installing the policy.Following is David's original patch intro (preserved especiallybc it has stats on the generated policies):se interested in the changes there were only two significantchanges. The first is that the iteration through the list of classesused NULL as a sentinel value. The problem with this is that theclass_to_string array actually has NULL entries in its table as placeholders for the user space object classes.The second change was that it would seem at some point the initial sidstable was NULL terminated. This is no longer the case so that iterationhas to be done on array length instead of looking for NULL.Some statistics on the policy that it generates:The policy consists of 523 lines which contain no blank lines. Of those523 lines 453 of them are class, permission, and initial siddefinitions. These lines are usually little to no concern to the policydeveloper since they will not be adding object classes or permissions.Of the remaining 70 lines there is one type, one role, and one userstatement. The remaining lines are broken into three portions. The firstgroup are TE allow rules which make up 29 of the remaining lines, thesecond is assignment of labels to the initial sids which consist of 27lines, and file system labeling statements which are the remaining 11.In addition to the policy.conf generated there is a single file_contextsfile containing two lines which labels the entire system with base_t.This policy generates a policy.23 binary that is 7920 bytes.(then a few versions later...):The new policy is 587 lines (stripped of blank lines) with 476 of thoselines being the boilerplate that I mentioned last time. The remaining111 lines have the 3 lines for type, user, and role, 70 lines for theallow rules (one for each object class including user space objectclasses), 27 lines to assign types to the initial sids, and 11 lines forfile system labeling. The policy binary is 9194 bytes.Changelog: Aug 26: Added Documentation/SELinux.txt Aug 26: Incorporated a set of comments by Stephen Smalley: 1. auto-setup SELINUXTYPE=dummy 2. don't auto-install if selinux is enabled with non-dummy policy 3. don't re-compute policy version 4. /sbin/setfiles not /usr/sbin/setfiles Aug 22: As per JMorris comments, made sure make distclean cleans up the mdp directory. Removed a check for file_contexts which is now created in the same file as the check, making it superfluous.Signed-off-by: Serge Hallyn Signed-off-by: David Quigley Signed-off-by: James Morris List of files: /linux-6.15/scripts/selinux/README

Changes in README

229fd05c - doc: ReSTify SELinux.txt

d410fa4e - Create Documentation/security/,

93c06cbb - selinux: add support for installing a dummy policy (v2)