Re: Help with SELinux policy for Usability Study

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Daniel J Walsh wrote:
BTW, if you use the sepolgen command line that is in F11 and Rawhide, it has new features to examine the executable and rpm information to generate more data automatigically.  It is using the same framework that polgengui is using. 

You can execute

sepolgen /usr/sbin/myapp

And it will generate the myapp,te, if, fc, sh file automatically, No gui to walk though.

For example it will look for paths in the rpm that match /var/run/myapp, /var/lib/myapp ... and create proper types.
It also runs nm -D /usr/sbin/myapp looking for function calls that it knows require certain interfaces,  If it find syslog it will add the 

logging_send_syslog_msg(myapp_t) 

call.

I have not merged this stuff back into the GUI yet.
  

Thanks. They sound like helpful features. They sound similar to some of the techniques my own tool uses.

I tested sepolgen with a few apps. Since the results still require a very similar amount of manual editing it is probably fairest to use the gui tool as much as possible as the other systems participants will use all use gui policy management tools.

Some information about the study:
    - Participants will be shown a prerecorded explanation and demonstration of SELinux
    - And have a limited amount of time to confine some programs
    - I don't want to go into too much detail here until the study is complete

Justification for using polgengui:
    - It ships standard with fedora
    - It has a gui (like the other tools they will be using)
    - It has a short learning curve (as opposed to perhaps SLIDE, which appears to be a more comprehensive tool for policy design but maybe not as suited to the average user)

Some questions:
Does SLIDE automate more of the process, such as adding to the created policy?
Is there a tool or command to put a domain into enforcing mode rather than manually editing the .te file? (system-config-selinux seems to think it is already in enforcing mode)

Some suggestions:
It might be a good idea to make the gui tools such as setroubleshoot aware of permissive domains, as it simply says that selinux enforcing mode is on.
It may be a good idea to create a gui tool which steps users through the process of adding to a .te file using audit2allow (if one doesn't exist already).

Christopher Pardy wrote:
Please CC me any results you find as well as any issues with the gui tools as I'm revamping them for F12.
  
Sure. Participants will give feedback such as suggestions for improvement.

Thanks again everyone for your advice and suggestions,

Cliffe.

[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux