On 11/14/2016 11:11 AM, Dominick Grift wrote: > On 11/09/2016 03:52 PM, James Carter wrote: >> On 11/09/2016 07:40 AM, Dominick Grift wrote: >>> I am in the process of a DSSP rewrite, taking a different approach this >>> time. >>> >>> However I encountered something that seems suboptimal: >>> >>> SECILC seems to not filter redundant attributes and rules >>> >>> Example i have a type attribute and it has rules associated with it. >>> However, the type attribute is not associated with any types. >>> >>> I was hoping that SECILC would be smart enough to determine that it >>> might as well filter both the type attribute as well as the rules >>> associated with it. >>> >>> To reproduce: >>> >>> git clone https://github.com/DefenSec/dssp1-base.git >>> cd dssp1-base >>> secilc `ls *.cil` >>> sesearch -ASCT -s lib.ld_so.read_files_subj_type_attribute policy.30 >>> seinfo -xalib.ld_so.read_files_subj_type_attribute policy.30 >>> >>> >>> Am i expecting the impossible by expecting SECILC to be smart enough to >>> determine that something is redundant, and that it can be filtered out >>> until it becomes applicable? >>> >>> >> >> I don't think that it would be too hard to remove attributes that have >> no types associated with them along with rules containing those >> attributes. I have this nagging feeling, though, that there is a reason >> that we didn't do that. I'll have to think about it a bit. >> >> Jim > > Have you given this some thought? > > I suspect this could have significant impact. > > consider the following: > > CIL encourages the use of attributes to the fullest extent, and with > dssp1 i have taken this to heart. > > This should make dssp1 very scale-able. The more an identifier is used > the greater the potential benefit. > > Attributes and templates are at the heart of dssp1 and if the dssp1 > model turns out to work (it is still a work in progress and I dont quite > see where this is eventually taking me) then this would be a very > welcome feature. > > If you want to see the current state of dssp1: > > git clone https://github.com/DefenSec/dssp1-base.git > cd dssp1-base > secilc `ls *.cil` > seinfo policy.30 Here is a 10 minute demo that tries to explain the benefits and the current drawbacks of this approach (for anyone interested) https://www.youtube.com/watch?v=MdqjVgjXvM8 > >> >> >>> >>> _______________________________________________ >>> Selinux mailing list >>> Selinux@xxxxxxxxxxxxx >>> To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. >>> To get help, send an email containing "help" to >>> Selinux-request@xxxxxxxxxxxxx. >>> >> >> > > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
