On 08/26/11 08:59, Daniel J Walsh wrote:
> On 08/25/2011 10:22 PM, Eric Paris wrote:
>> On 08/25/2011 09:17 PM, Harry Ciao wrote:
>>> Daniel J Walsh 写�:
>
>>>> The Fedora policy has removed all calls that do stuff like
>>>>
>>>> allow XYZ_t { file_type -shadow_t }:file read;
>>>>
>>>> Which generates hundreds/thousands of rules when run though the
>>>> M4 Macro, since it writes a rule for each file_type except the
>>>> shadow_t. Anywhere in policy that we use this construct has to
>>>> be reworked and this shrunk the policy by 90%. Your
>>>> enhancement just adds another 5% reduction after this change.
>>>> I sent a patch to refpolicy yesterday to fix the coreutils
>>>> interfaces that we doing something like this.
>>>>
>>>>
>>>>
>>> I don't know much about Fedora policy, but for upstream refpolicy
>>> and toolchain my patch would contribute 45% size reduction for
>>> raw policy and before I sent my patchset out for review I had not
>>> seen your patch.
>>>
>>> Anyway, it would be fantastic to have your patch to further
>>> drastically reduce the raw policy size, the whole community would
>>> benefit from each single contributor's effort like this.
>
>> Agreed. I'm excited about both approaches (reducing the policy
>> size by using attributes and eliminating needless unused portions
>> of booleans). I'm glad to see Dan pushing his changes. Once this
>> patch set is finished I'll be very happy to see a further 5-6%
>> reduction in the policy size of Fedora!
>
>> -Eric
>
>> -- This message was distributed to subscribers of the selinux
>> mailing list. If you no longer wish to subscribe, send mail to
>> majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux"
>> without quotes as the message.
>
>
>
>
> I agree, I would like to take the patch to make tunables real, but we
> need to have a similar level of diagnosis capability to what we have now.
>
> The admin needs to know what the tunables are and needs to be able to
> take an AVC and see if any tunable/boolean would allow the AVC.
>
> If we had this, I would be racing towards the tunable.
>
> I see this as two steps.
>
> 1. Implement what we have now in booleans in tunables to shrink the
> size of policy.
> 2. Allow policy writers to define rules within tunables that is
> currently not available in booleans.
> - Type Definitions
> - Assigning attributes
I would go farther than that. I think it should be any statement that
is allowed in an optional block. If I can get the RBAC stuff in there,
then I can get rid of the DIRECT_INITRC build option, which exists due
to the role_transition statement in the init_run_daemon() interface.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
