Re: Announcing SPAN: SELinux Policy Analysis Notebook

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dominick Grift wrote:
On Sun, May 07, 2017 at 11:22:00AM -0400, Joshua Brindle wrote:the
Dominick Grift wrote:
<snip>

The idea is nice, unfortunately its inflexible and it has hard-references to reference policy all-over. It has potential but it is still rough.

Of course, it is an analysis of a refpolicy-based policy. If you want to
analyze a different policy (e.g., Android or home-rolled) you will have to
change out all of the type sets, etc.

You can't make a magic generic analysis script without knowing how key parts
of the system work and what types are associated with those components.

What do you mean? that for example that hard-coded array of "trusted" types. Is that not just redundant.


you mean the example trusted types? I'm not sure I understand your concern.

Can't i just create that array myself and use it to exlude rules with types in that array? That was one does not have to hard-code it.


It is python, you can do anything you want. The example notebook is a starting point, anyone doing an analysis would probably make major changes for their analysis, which is the point. You modify the notebook to build a usable analysis between the starting policy and the policy you are analyzing.

I've thought about trying this on an Android policy but haven't made it a priority.

Also with regard to hardcoding the refpolicy file system (ps.load_policy_source). I mean if youre just going to `grep -r` then why do we have to assume anything there and hard code file suffixed, directory structures etc etc?





[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux