-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/28/2010 10:25 AM, Karl MacMillan wrote: > On Fri, Apr 23, 2010 at 11:09 AM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> I do not totally understand your matching, but I thought if you looked for >> >> allow TYPE etc_t:file getattr; >> >> You could get extra matches. >> > > That's essentially what I do. > >> I was thinking in terms of sepolgen-ifgen would take every type and >> expand the attributes for the type then if you find attribute that >> matches, not add weight. >> > > I think you are missing what the core problem is - it's easy to find > interfaces that match this access. Many interfaces (including > files_read_etc_files) include a rule that directly matches getattr on > etc_t files. So I don't really need to do attribute expansion to get > enough matches. > > The key problem is finding the _best_ match, which I define as the > interface that allows the requested access with the least amount of > "extra" access. That's what the distance measure is for - it is a > measure of extra access. So I add extra distance for access to > unrelated types, extra permissions, returning a write interface when a > read was requested, etc. So when you add access to a broad attribute > in files_read_etc_files the distance measure - as currently shipped - > adds more distance for 1 type (the attribute). However, when I expand > the attribute the distance goes up because it becomes clear that the > interface is in fact allowing a _lot_ of access. > > This seems correct to me, hence my request to return what was intended > to be a narrow interface back to that narrow definition. > > However, there are some things that I can do to make this distance > algorithm better: > > 1. Don't penalize as much for access that involves container object > classes, such as directory, in an attempt to not penalize for access > that is actually related. > > 2. Detect execute and add a big penalty for interfaces that allow > execute when it wasn't requested (similar to what I do with write). > > I'm also open to other suggestions. I don't think that what I have is > perfect. However, none of this will fix the fact that the > files_read_etc_files shipped in Fedora grants broad access. If > everyone agrees that we want that interface to match regardless then I > think we are going to have to add some other mechanism to the matching > algorithm. Perhaps some "hinting" mechanism to let the policy author > to tell sepolgen to prefer certain interfaces. I might even be able to > automatically derive this from how popular the interface is in current > policies. > > Karl I understand, although I don't agree with penalizying because you match on an attribute, Currently if I wrote this interface the way I want, with just the attribute your algorithm would not find it at all. files_read_etc_files to me means match all config files in the /etc directory, just because some random application decides to change the context of /etc/hostname to etc_runtime_t or net_conf_t, we should not need to change all domains that are supposed to read generic files in /etc. Especially when I don't even need to read them. I would argue that allow X etc_t:file read; allow X configfile:file read; Should be weighted equivalently if etc_t is a configfile or only slightly heavier, and just because etc_runtime_t or some other random types are configfile does not mean we need to add weight. But when the attribute adds more weight then "write" does, I think the algorithm is broken. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkvYVZEACgkQrlYvE4MpobPf6QCfY6wAi3VqF9s3do7QwAoQ8UrA PZwAoN5L0WvquabGFHNfINoJq4MkOy8S =l2u0 -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
