On Fri, Apr 23, 2010 at 11:09 AM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I do not totally understand your matching, but I thought if you looked for > > allow TYPE etc_t:file getattr; > > You could get extra matches. > That's essentially what I do. > I was thinking in terms of sepolgen-ifgen would take every type and > expand the attributes for the type then if you find attribute that > matches, not add weight. > I think you are missing what the core problem is - it's easy to find interfaces that match this access. Many interfaces (including files_read_etc_files) include a rule that directly matches getattr on etc_t files. So I don't really need to do attribute expansion to get enough matches. The key problem is finding the _best_ match, which I define as the interface that allows the requested access with the least amount of "extra" access. That's what the distance measure is for - it is a measure of extra access. So I add extra distance for access to unrelated types, extra permissions, returning a write interface when a read was requested, etc. So when you add access to a broad attribute in files_read_etc_files the distance measure - as currently shipped - adds more distance for 1 type (the attribute). However, when I expand the attribute the distance goes up because it becomes clear that the interface is in fact allowing a _lot_ of access. This seems correct to me, hence my request to return what was intended to be a narrow interface back to that narrow definition. However, there are some things that I can do to make this distance algorithm better: 1. Don't penalize as much for access that involves container object classes, such as directory, in an attempt to not penalize for access that is actually related. 2. Detect execute and add a big penalty for interfaces that allow execute when it wasn't requested (similar to what I do with write). I'm also open to other suggestions. I don't think that what I have is perfect. However, none of this will fix the fact that the files_read_etc_files shipped in Fedora grants broad access. If everyone agrees that we want that interface to match regardless then I think we are going to have to add some other mechanism to the matching algorithm. Perhaps some "hinting" mechanism to let the policy author to tell sepolgen to prefer certain interfaces. I might even be able to automatically derive this from how popular the interface is in current policies. Karl -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
