On Fri, Apr 10, 2009 at 09:51:46AM -0500, Joe Nall wrote: > > On Apr 10, 2009, at 7:34 AM, James Carter wrote: > >> On Thu, 2009-04-09 at 21:19 -0700, Casey Schaufler wrote: >> >> That's easy to fix. Make the system smaller. ;) >> >> I think that this would fit under complexity of SElinux policies. >> >> Again, better layering is needed. It would be nice if I could just >> write policy for the particular domains and resources that I cared >> about >> without having to worry about the policy for the rest of the system. >> Unfortunately, policy writing differs from program writing in that >> while >> different programs that run on a system *share* resources and so it >> doesn't matter what the other programs do (for the most part) as long >> as >> my program gets to use those resources at some point, all of the >> policies work together to *control* resources. In the end, you must >> have one policy. The question is how to write the policies in a more >> layered way and have the policy infrastructure merge the layers >> together. > > audit2allow needs to understand your layers of abstraction or they won't > be very useful. I've watched a number of developers in our group stall at > the audit2allow policy writing level and never really get the need to > understand the system macros and the 'why' of it all. > > Some of these same developers never get that some avcs are inevitable > and blithely grant privilege until they don't have any avcs - granting > user_t enormous new privs along the way. We use seinfo to look for > attribute diffs and source inspection, but we need better command line > tools to look for these issues in an automated way. Me as policy developer will benefit a lot if there will be a tool, that maps m4 macros to allows/denials and allows/denials back to m4 macros. The only thing that is available to me now is 'grep -r', but it does not help always. I would like a system, that will answer my questions like: 'What macros can be used to generate these "allows"?' (sorted by the level of invocation) 'What macro generate this denies and where it is invoked from?' (sorted the same way) 'How the permissions of the domain will be affected if I add/throw out this macro?' (in current context) Well, there is some tool, that does that. It is called human memory and experience. But sometimes that fails. And it takes a lot of time to (re)gather that experience. PS: Maybe have I missed something again? That tools will be so much useful. -- Alexey S. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
