Rahul Sundaram wrote:
Karl MacMillan wrote:
The first public release of the Madison SELinux policy generation
tools can be found at http://et.redhat.com/madison/. Madison is a new
project to create command line and GUI policy generation tools that:
* Create more readable and secure policy by leveraging the reference
policy development environment.
* Provide administrators with guidance and information to help them
make good security decisions.
This release focuses on the creation of a foundation library (in
python). It only includes a single tool - audit2policy - that is a
drop in replacement for audit2allow with better reference policy
interface call generation (using the undocumented -R audit2allow flag).
Contributions are very welcome. I'm looking for help with:
* Testing (particularly interface call generation and module
generation)
* Documenation
* Unit test creation
* Code / tool development
See the website for more details on contributing.
To the authors of other policy generation tools: I would like to avoid
duplication of effort where possible. The current release focuses on
areas that other tools have not explored thoroughly. Moving forward I
would to discuss how we can best work together.
Please send any feedback to the selinux development list.
I dont want to subscribe to yet another list so I will send in my
comments here. I have put in a announcement in fedoraproject.org. A few
questions.
Sorry for the delay in answering.
* I installed the FC6 version. audit2policy is the only tool in this
package as of now. Do you plan to include it within a existing package
or introduce a new one?
I am currently planning to submit this code to the upstream selinux
project. If it is accepted then this will ultimately be included there.
Do you plan to replace audit2allow with this?
If it is accepted upstream, yes.
What are the specific differences between them?
The main user visible difference is more accurate reference policy
interface generation with audit2policy. Otherwise, the bulk of the
difference is in the code behind them - madison is designed to be
capable of much more and will hopefully be the basis for other tools in
the future.
* What is the plan for the GUI application? Is this connected to
system-config-selinux or semanage?
I have two tools in mind:
1) Local policy modifications - allow the user to make small policy
tweaks without having to build modules by hand. It will also help them
review the changes and suggest other ways to solve the problems (like
booleans). This will hopefully be part of system-config-selinux.
2) New policy module creation - help people create new policy modules
for applications, including things like cgi-scripts run by apache. This
is longer term.
* There is absolutely no documentation on the madison package and
I know - the audit2allow man page is most applicable.
running audit2policy on its own doesnt return the prompt (that probably
should return some basic help and we need a man page).
This is, unfortunately, inherited from audit2policy. By default it reads
from standard input.
I can help with
writing documentation if someone can explain the details to me.
Thanks - right now the audit2allow man page is sufficient. As more tools
are created I'll let you know so you can contribute to documentation if
you are still interested.
Thanks - Karl
Rahul
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
