On 11/09/2016 03:52 PM, James Carter wrote: > On 11/09/2016 07:40 AM, Dominick Grift wrote: >> I am in the process of a DSSP rewrite, taking a different approach this >> time. >> >> However I encountered something that seems suboptimal: >> >> SECILC seems to not filter redundant attributes and rules >> >> Example i have a type attribute and it has rules associated with it. >> However, the type attribute is not associated with any types. >> >> I was hoping that SECILC would be smart enough to determine that it >> might as well filter both the type attribute as well as the rules >> associated with it. >> >> To reproduce: >> >> git clone https://github.com/DefenSec/dssp1-base.git >> cd dssp1-base >> secilc `ls *.cil` >> sesearch -ASCT -s lib.ld_so.read_files_subj_type_attribute policy.30 >> seinfo -xalib.ld_so.read_files_subj_type_attribute policy.30 >> >> >> Am i expecting the impossible by expecting SECILC to be smart enough to >> determine that something is redundant, and that it can be filtered out >> until it becomes applicable? >> >> > > I don't think that it would be too hard to remove attributes that have > no types associated with them along with rules containing those > attributes. I have this nagging feeling, though, that there is a reason > that we didn't do that. I'll have to think about it a bit. > > Jim Have you given this some thought? I suspect this could have significant impact. consider the following: CIL encourages the use of attributes to the fullest extent, and with dssp1 i have taken this to heart. This should make dssp1 very scale-able. The more an identifier is used the greater the potential benefit. Attributes and templates are at the heart of dssp1 and if the dssp1 model turns out to work (it is still a work in progress and I dont quite see where this is eventually taking me) then this would be a very welcome feature. If you want to see the current state of dssp1: git clone https://github.com/DefenSec/dssp1-base.git cd dssp1-base secilc `ls *.cil` seinfo policy.30 > > >> >> _______________________________________________ >> Selinux mailing list >> Selinux@xxxxxxxxxxxxx >> To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. >> To get help, send an email containing "help" to >> Selinux-request@xxxxxxxxxxxxx. >> > > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
