On 04/13/2009 03:28 AM, Alexey S. wrote:
On Fri, Apr 10, 2009 at 09:51:46AM -0500, Joe Nall wrote:
On Apr 10, 2009, at 7:34 AM, James Carter wrote:
On Thu, 2009-04-09 at 21:19 -0700, Casey Schaufler wrote:
That's easy to fix. Make the system smaller. ;)
I think that this would fit under complexity of SElinux policies.
Again, better layering is needed. It would be nice if I could just
write policy for the particular domains and resources that I cared
about
without having to worry about the policy for the rest of the system.
Unfortunately, policy writing differs from program writing in that
while
different programs that run on a system *share* resources and so it
doesn't matter what the other programs do (for the most part) as long
as
my program gets to use those resources at some point, all of the
policies work together to *control* resources. In the end, you must
have one policy. The question is how to write the policies in a more
layered way and have the policy infrastructure merge the layers
together.
audit2allow needs to understand your layers of abstraction or they won't
be very useful. I've watched a number of developers in our group stall at
the audit2allow policy writing level and never really get the need to
understand the system macros and the 'why' of it all.
Some of these same developers never get that some avcs are inevitable
and blithely grant privilege until they don't have any avcs - granting
user_t enormous new privs along the way. We use seinfo to look for
attribute diffs and source inspection, but we need better command line
tools to look for these issues in an automated way.
Me as policy developer will benefit a lot if there will be a tool, that
maps m4 macros to allows/denials and allows/denials back to m4 macros.
The only thing that is available to me now is 'grep -r', but it does not help
always.
I would like a system, that will answer my questions like:
'What macros can be used to generate these "allows"?' (sorted by the level of invocation)
'What macro generate this denies and where it is invoked from?' (sorted the same way)
'How the permissions of the domain will be affected if I add/throw out this macro?' (in current context)
Well, there is some tool, that does that. It is called human memory and experience.
But sometimes that fails. And it takes a lot of time to (re)gather that experience.
PS: Maybe have I missed something again? That tools will be so much useful.
sepolgen is supposed to do this, but it needs some tender loving care.
audit2allow -R
--
Alexey S.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
