On Wed, Nov 09, 2016 at 09:52:35AM -0500, James Carter wrote: > On 11/09/2016 07:40 AM, Dominick Grift wrote: > >I am in the process of a DSSP rewrite, taking a different approach this > >time. > > > >However I encountered something that seems suboptimal: > > > >SECILC seems to not filter redundant attributes and rules > > > >Example i have a type attribute and it has rules associated with it. > >However, the type attribute is not associated with any types. > > > >I was hoping that SECILC would be smart enough to determine that it > >might as well filter both the type attribute as well as the rules > >associated with it. > > > >To reproduce: > > > >git clone https://github.com/DefenSec/dssp1-base.git > >cd dssp1-base > >secilc `ls *.cil` > >sesearch -ASCT -s lib.ld_so.read_files_subj_type_attribute policy.30 > >seinfo -xalib.ld_so.read_files_subj_type_attribute policy.30 > > > > > >Am i expecting the impossible by expecting SECILC to be smart enough to > >determine that something is redundant, and that it can be filtered out > >until it becomes applicable? > > > > > > I don't think that it would be too hard to remove attributes that have no > types associated with them along with rules containing those attributes. I > have this nagging feeling, though, that there is a reason that we didn't do > that. I'll have to think about it a bit. > > Jim > I had a hack 'n' slash attempt at this earlier for just avrules by adding naive checks in avrule_write (libsepol/src/write.c) to check if both the source and target type_set bitmaps have a cardinality of 0, though couldn't help but think I was missing something else. That didn't work in any case, and didn't seem like the codepath is ever hit when a CIL policy is written to disk (maybe it's only module policy avrule_write is called for?). Any hints on where I can start prodding? Would be nice to get an idea of how the binary policy is serialized too. > > > > >_______________________________________________ > >Selinux mailing list > >Selinux@xxxxxxxxxxxxx > >To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > >To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. > > > > > -- > James Carter <jwcart2@xxxxxxxxxxxxx> > National Security Agency > _______________________________________________ > Selinux mailing list > Selinux@xxxxxxxxxxxxx > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. -- Gary Tierney GPG fingerprint: 412C 0EF9 C305 68E6 B660 BDAF 706E D765 85AA 79D8 https://sks-keyservers.net/pks/lookup?op=get&search=0x706ED76585AA79D8
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
