On Thu, 27 May 2004 11:59:24 CDT, Bob Gustafson <bobgus@xxxxxxx> said: > Is there a script around somewhere - something like 'configure' which is > used at the beginning of a component build - which will query various > pieces of a system, do a 'setenforce 1' and then try various programs and > grep the output to give some binary answer, then do 'setenforce 0' and try > the same program, etc. "Testing can reveal the presence of flaws, but not their absence" -- Dykstra Writing such a test harness for a program is a daunting challenge - the biggest hurdle is that although you can cover 75% of the issues simply by doing a 'setenforce 1' and seeing if the program will even start up, devising harness cases for the other 25% is very difficult - it's often stuff like "initial one-time file creation" or "error handling (I've had the joy of trying to debug an application that got a permission error while trying to open an error message catalog to get the human-readable form of "permission error" - instant recursive error ;) My posting about mysql the other day was related to another project of mine that involves a multi-gigabyte mysql database. The as-shipped mysql.fc labels files with the assumption that /var/lib/mysql/<dbname> is where the database lives. Now, either I get to live with a 40-gigabyte /var, or I also stick a mysqld_db_t on the /datastore/<dbname> tree where the database actually resides. Now for those of you listening at home - devise a test that will catch the difference between these two lines: /datastore/mydata(/.*)? system_u:object_r:mysqld_db_t /datastore(/.*)? system_u:object_r:mysqld_db_t (Hint - what happens if there's a /datastore/otherstuff directory?) > This script would help to give struggling sysadmins some degree of > confidence that what is being done to their 'policy.local' or whatever, is > benign. It's feasible to set up a script that verifies that a given program is given "enough" access - see 'audit2allow'. It's another challenge entirely to verify that it is in fact the minimal set of required access - mostly because it has no way to identify what "proper" means. (Hmm... I'm trying to figure out if the generic case of computing "minimal set" is the equivalent of the Halting Problem. It's actually probably fairly doable with static code analysis, except that programmers have this very annoying tendency to do stuff like call sprintf(foo,"%s", user_file); and then open(foo)... And sometimes they actually *want* a "../.." pattern in foo. ;)
Attachment:
pgpxZEXH2XhdD.pgp
Description: PGP signature
