On Fri, Feb 15, 2019 at 10:03 AM Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > On 2/15/19 10:00 AM, Paul Moore wrote: > > On Fri, Feb 15, 2019 at 9:51 AM Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > >> Add basic MLS policy support to mdp. Declares > >> two sensitivities and two categories, defines > >> mls constraints for all permissions requiring > >> dominance (ala MCS), assigns the system-high > >> level to initial SID contexts and the default user > >> level, and assigns system-low level to filesystems. > >> > >> Also reworks the fs_use and genfscon rules to only > >> generate rules for filesystems that are configured > >> in the kernel. In some cases this depends on a specific > >> config option for security xattrs, in other cases security > >> xattrs are unconditionally supported by a given filesystem > >> if the filesystem is enabled, and in some cases the filesystem > >> is always enabled in the kernel. Dropped obsolete pseudo > >> filesystems. > >> > >> NB The list of fs_use_* and genfscon rules emitted by mdp > >> is very incomplete compared to refpolicy or Android sepolicy. > >> We should probably expand it. > >> > >> Usage: > >> scripts/selinux/mdp/mdp -m policy.conf file_contexts > >> checkpolicy -M -o policy policy.conf > >> > >> Then install the resulting policy and file_contexts as usual. > >> > >> Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx> > >> --- > >> v3 fixes up the file contexts generation code to also use SYSTEMLOW and > >> collapse down to a single fprintf call per line. > >> scripts/selinux/mdp/mdp.c | 131 ++++++++++++++++++++++++++++++-------- > >> 1 file changed, 103 insertions(+), 28 deletions(-) > > > > This is great Stephen, thanks for working on this - and rather quickly > > too! For those who don't follow the GitHub issues, I just opened an > > issue yesterday mentioning it would be nice to add MLS support to the > > mdp tool. > > > > Are you planning to keep playing with this? I'm asking not because I > > think it needs more work to be worthwhile, but rather I don't want to > > merge something that you want to continue working on. If you are > > happy with this latest patch I think it is okay to merge this into > > selinux/next, even at this late stage, simply because it is not part > > of a built kernel, but rather a developer's tool. > > No, I think I'm done for now unless you find a problem with it. Absent > some compelling use case for mdp it is hard to justify spending any more > time on it. For the record, I think having something like mdp is important as a simple, quick to parse (by human eyes) demonstration of a "complete" SELinux policy. I recognize we could have a lot of good arguments about what constitutes a "complete" SELinux policy, but for mdp let's try to keep it as simple as possible for now. -- paul moore www.paul-moore.com
