On 11/09/2016 07:40 AM, Dominick Grift wrote:
I am in the process of a DSSP rewrite, taking a different approach this time. However I encountered something that seems suboptimal: SECILC seems to not filter redundant attributes and rules Example i have a type attribute and it has rules associated with it. However, the type attribute is not associated with any types. I was hoping that SECILC would be smart enough to determine that it might as well filter both the type attribute as well as the rules associated with it. To reproduce: git clone https://github.com/DefenSec/dssp1-base.git cd dssp1-base secilc `ls *.cil` sesearch -ASCT -s lib.ld_so.read_files_subj_type_attribute policy.30 seinfo -xalib.ld_so.read_files_subj_type_attribute policy.30 Am i expecting the impossible by expecting SECILC to be smart enough to determine that something is redundant, and that it can be filtered out until it becomes applicable?
I don't think that it would be too hard to remove attributes that have no types associated with them along with rules containing those attributes. I have this nagging feeling, though, that there is a reason that we didn't do that. I'll have to think about it a bit.
Jim
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
-- James Carter <jwcart2@xxxxxxxxxxxxx> National Security Agency _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
